A critical security vulnerability has been identified in Red Hat OpenShift AI Service, designated as CVE-2025-10725, which allows low-privileged users to escalate their privileges to full cluster administrators. This flaw poses a significant risk to the confidentiality, integrity, and availability of the entire AI platform and its hosted applications.
Overview of the Vulnerability
Red Hat OpenShift AI is an enterprise-grade platform designed for building, deploying, and managing AI and machine learning workloads at scale. It integrates tools like Jupyter notebooks to facilitate data scientists in their workflows. The identified vulnerability enables an authenticated user with minimal privileges, such as a data scientist using a standard Jupyter notebook, to escalate their access rights to that of a full cluster administrator. This escalation grants the attacker comprehensive control over the entire OpenShift cluster, leading to potential data breaches, service disruptions, and infrastructure compromise.
Technical Details
The root cause of CVE-2025-10725 lies in an overly permissive ClusterRole assignment within the Red Hat OpenShift AI Service. Specifically, the system:authenticated group is linked to the kueue-batch-user-role, granting any authenticated user broad job-creation rights across the cluster. This misconfiguration allows users, such as data scientists operating standard Jupyter notebook accounts, to create job clusters. By crafting malicious jobs that run with elevated privileges, an attacker can hijack the cluster control plane. Once administrative privileges are obtained, the threat actor can:
– Access all cluster resources and secrets
– Modify or delete workloads
– Exfiltrate sensitive data
– Disrupt services and infrastructure
The vulnerability has been assigned a CVSS v3.1 score of 9.9, indicating its critical nature. The attack vector is network-based, meaning exploitation can occur remotely without physical access. The low attack complexity and low privileges required make it highly exploitable, especially in environments where multiple users have access to the platform.
Affected Versions
The following versions of Red Hat OpenShift AI are affected by this vulnerability:
– Red Hat OpenShift AI 2.19
– Red Hat OpenShift AI 2.21
– Red Hat OpenShift AI (RHOAI)
Mitigation Recommendations
To remediate this vulnerability, administrators should apply strict least-privilege principles:
1. Revoke the offending ClusterRoleBinding: Remove any bindings that attach kueue-batch-user-role to system:authenticated.
2. Define explicit job-creation roles: Assign the kueue-batch-user-role only to specific user accounts or groups that require batch job permissions.
3. Audit existing roles and bindings: Review all ClusterRoleBindings for overly broad assignments and ensure permissions align with actual job requirements.
4. Enforce separation of duties: Maintain distinct roles for development, analytics, and administrative functions to limit privilege escalation paths.
By implementing these measures, organizations can mitigate the risk associated with CVE-2025-10725 and enhance the security posture of their Red Hat OpenShift AI deployments.
