CVE-2019-11253 in Kubernetes
Summary
by MITRE
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/24/2026
The vulnerability described in CVE-2019-11253 represents a critical denial of service weakness within the Kubernetes API server that affects multiple versions of the container orchestration platform. This issue stems from inadequate input validation mechanisms within the API server's processing pipeline, specifically when handling YAML or JSON payloads submitted by authorized users. The flaw allows malicious actors to craft specially formatted requests that cause the API server to consume excessive computational resources, leading to system instability and potential unavailability of the cluster services. The vulnerability impacts Kubernetes versions ranging from v1.0 through v1.12 and includes specific affected releases prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2, making it a widespread concern across numerous deployments.
The technical root cause of this vulnerability aligns with CWE-20, which describes improper input validation, and manifests through the API server's failure to properly sanitize or limit the complexity of incoming requests. When authorized users submit malicious payloads, the server's internal processing logic becomes overwhelmed with computationally expensive operations that consume disproportionate CPU cycles and memory resources. This resource exhaustion can ultimately lead to the API server becoming unresponsive or crashing entirely, thereby disrupting cluster operations and potentially affecting all running workloads that depend on the API server for configuration management and orchestration tasks. The vulnerability's exploitation requires only authorized access to the cluster, making it particularly dangerous as it can be leveraged by compromised accounts or insiders with legitimate privileges.
The operational impact of CVE-2019-11253 extends beyond simple service disruption to encompass broader security implications for Kubernetes deployments. Prior to version v1.14.0, Kubernetes implemented a default RBAC policy that inadvertently authorized anonymous users to submit requests that could trigger this vulnerability, creating a wider attack surface than initially intended. This default permissive configuration, combined with the fact that clusters upgraded from pre-v1.14.0 versions maintain the more permissive policy for backward compatibility, means that many existing deployments remain vulnerable even after upgrading to newer versions. The vulnerability's exploitation can result in complete API server unavailability, preventing legitimate users from managing their clusters, deploying applications, or performing essential administrative tasks. This disruption can cascade through the entire Kubernetes infrastructure, affecting application availability and potentially causing business continuity issues for organizations relying on containerized workloads.
Organizations should implement immediate mitigations including upgrading to patched versions of Kubernetes that address this vulnerability, specifically versions v1.13.12, v1.14.8, v1.15.5, and v1.16.2 or later. The recommended approach involves conducting comprehensive vulnerability assessments across all Kubernetes clusters to identify systems running vulnerable versions and implementing proper access controls to minimize the attack surface. Security teams should also consider implementing rate limiting and resource quotas on API server requests to prevent single users from consuming excessive resources. Additionally, organizations should review and tighten their RBAC policies to ensure that only authorized users with legitimate need can submit requests to the API server, particularly focusing on removing anonymous access where possible. The mitigation strategy should also include monitoring and alerting mechanisms to detect unusual resource consumption patterns that might indicate exploitation attempts, aligning with the ATT&CK framework's defense in depth principles for cloud and container environments.