Guide to CVE-2025-9708

[tg123]

CVE-2025-9708

Solution 1: Update to KubernetesClient 17.0.13+ if dotnet8+

Most recommended

Common Issues when updating from version < 7.x

#772
#824

Solution 2: Cant update or using KubernetesClient.Classic (net48 or netstandard2.0)

1. Disable Custom CA

    config.SslCaCerts = null;
   

2. Trust CA from kubeconfig

Example

        static void Main(string[] args)
        {
            var config = KubernetesClientConfiguration.BuildDefaultConfig();
            config.SslCaCerts = null; // ADD THIS LINE

            IKubernetes client = new Kubernetes(config);
            Console.WriteLine("Starting Request!");

            var list = client.CoreV1.ListNamespacedPod("default");
            foreach (var item in list.Items)
            {
                Console.WriteLine(item.Metadata.Name);
            }
        }

Install-Module -Name powershell-yaml -Scope CurrentUser

.\importca.ps1 # see attached ps1

importca.ps1.zip

[crtreasu-msft]

I'm looking at the Version Compatibility and wondering if prior major versions for supported Kubernetes releases (prior to K8s 1.33) would be patched as well. Upgrading to v17.0.14 could mean using an "incompatible" version of the client with the Kubernetes API if you're using K8s < 1.33.

[tg123]

for most stable api likes pods
they are ok and have not changed for long

may i know what server version are you using

[yzhoholiev]

Which versions of KubernetesClient.Classic are safe? Currently, none of them are marked as vulnerable on NuGet.

[tg123]

in talk with github
better to use ditnet core version

classic 17.0.14 will throw if you set customized ca, but at least no vulnerability