CVE-2023-48713: Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls...

Description

Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause Denial-of-Service of the autoscaler from an unbound memory allocation bug. This is a DoS vulnerability, where a non-privileged Knative user can cause a DoS for the cluster. This issue has been patched in version 0.39.0.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.87%

54.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-400

Affected Software

Vendor	Product	Versions
Knative	Serving	< 1.10.5
Knative	Serving	>= 1.11.0, < 1.11.3

References

Timeline

Published: Nov 28, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-48713?

Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause Denial-of-Service of the autoscaler from an unbound memory allocation bug. This is a DoS vulnerability, where a non-privileged Knative user can cause a DoS for the cluster. This issue has been patched in version 0.39.0.

How severe is CVE-2023-48713?

CVE-2023-48713 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.87% probability of exploitation in the next 30 days.

How do I fix CVE-2023-48713?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.