Kubernetes teams must track CVEs to secure clusters. The Official CVE Feed gives a machine-readable list of security issues. You can pull JSON or RSS with simple commands. You can integrate the feed into scanners, alert systems and event pipelines in minutes.
TL;DR
- Kubernetes publishes a JSON and RSS feed of official CVEs for each release.
- Use curl to fetch feeds programmatically and schedule regular polls.
- Parse JSON fields: id, summary, severity, links, affected versions.
- Trigger event-driven alerts when new CVE entries appear.
- Secure feed consumption with TLS and validate JSON schema.
- Embed in GitOps, SIEM or Slack notifications for real-time ops response.
Kubernetes Official CVE Feed Overview
Kubernetes Security Response Committee maintains the Official CVE Feed in beta since v1.27. It lists CVEs announced by the committee. You get two formats: JSON and RSS. Both update within minutes of a CVE publication. This feed replaces manual parsing of release notes and blog posts.
Fetching the Official CVE Feed
Use curl to retrieve the feeds over HTTPS. JSON is easiest for scripts. RSS works for XML parsers and RSS readers.
# JSON feed
curl -sL https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json | jq .
# RSS feed
curl -sL https://k8s.io/docs/reference/issues-security/official-cve-feed/index.xml | xmllint --format -
The JSON feed has a top-level “items” array. Each item holds:
id: CVE identifier, e.g., CVE-2023-1234.summary: Brief description.severity: Assigned severity, e.g., HIGH.links: Array of URLs to advisories.affected_versions: Kubernetes versions impacted.published: ISO8601 timestamp.
Example Feed:
Note: This example feed was last updated on 20-MAY-2025.
{
"_kubernetes_io": {
"feed_refresh_job": "https://testgrid.k8s.io/sig-security-cve-feed#auto-refreshing-official-cve-feed",
"updated_at": "2025-05-20T01:32:55Z"
},
"authors": [
{
"name": "Kubernetes Community",
"url": "https://www.kubernetes.dev"
}
],
"description": "Auto-refreshing official CVE feed for Kubernetes repository",
"feed_url": "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json",
"home_page_url": "https://kubernetes.io",
"items": [
{
"_kubernetes_io": {
"google_group_url": "https://groups.google.com/g/kubernetes-announce/search?q=CVE-2025-1974",
"issue_number": 131009
},
"content_text": "CVSS Rating: ([CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)) (Score: 9.8, Critical)\n\nA security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)\n\n### Am I vulnerable?\n\nThis issue affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running \\`kubectl get pods \\--all-namespaces \\--selector app.kubernetes.io/name=ingress-nginx\\`.\n\n#### Affected Versions\n\n- < v1.11.0\n- v1.11.0 \\- 1.11.4 \n- v1.12.0\n\n### How do I mitigate this vulnerability?\n\n**ACTION REQUIRED:** The following steps must be taken to mitigate this vulnerability: Upgrade ingress-nginx to v1.11.5, v1.12.1, or any later version.\n\nBefore applying the patch, this issue can be mitigated by disabling the Validating Admission Controller functionality of ingress-nginx.\n\n#### Fixed Versions\n\n- ingress-nginx [main@0ccf4ca](https://github.com/kubernetes/ingress-nginx/pull/13068/commits/0ccf4caaadec919680c455d221e53d97970d527d)\n\nTo upgrade, refer to the documentation: [Upgrading Ingress-nginx](https://kubernetes.github.io/ingress-nginx/deploy/upgrade/)\n\n### Detection\n\nThere are no known indicators of compromise that prove this vulnerability has been exploited.\n\nIf you find evidence that this vulnerability has been exploited, please contact [email protected]\n\n#### Acknowledgements\n\nThis vulnerability was reported by Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben Sasson from Wiz\n\nThe issue was fixed and coordinated by Marco Ebert, James Strong, Tabitha Sable, and the Kubernetes Security Response Committee\n",
"date_published": "2025-03-23T17:38:57Z",
"external_url": "https://www.cve.org/cverecord?id=CVE-2025-1974",
"id": "CVE-2025-1974",
"status": "open",
"summary": "ingress-nginx admission controller RCE escalation",
"url": "https://github.com/kubernetes/kubernetes/issues/131009"
}
],
"title": "Kubernetes Vulnerability Announcements - CVE Feed",
"version": "https://jsonfeed.org/version/1.1"
}Parsing Official CVE Feed JSON
Integrate feed parsing into CI/CD or SIEM tools. Example in Python:
import requests
import json
url = 'https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json'
resp = requests.get(url, timeout=10)
data = resp.json()
for item in data.get('items', []):
print(f"{item['id']} - {item['severity']}: {item['summary']}")
Validate JSON against a schema. Reject entries missing mandatory fields. This stops silent failures in pipelines.
Event-Driven Integration with Official CVE Feed
Use a cron job or Kubernetes CronJob to poll the JSON feed. Compare latest IDs with stored history. On new entries, push an event to:
- Slack webhook for DevOps alerts.
- GitHub issue or PR template for triage workflow.
- Amazon SNS or Google Pub/Sub for downstream subscribers.
- SIEM ingestion via HTTP Event Collector (HEC).
Security and Access Controls
Secure the fetch process with TLS certificate validation. Do not disable verification. Use corporate proxies or mTLS if required. Restrict IPs at firewall level for RSS endpoints. Store feed credentials (if any) in Kubernetes Secrets or Vault.
Advanced Use-Cases for Official CVE Feed
Embed feed data in Vulnerability Management platforms. Tag cluster assets by affected_version to auto-prioritize patch jobs. Trigger automated pull requests to update helm charts or container base images when critical CVEs appear. Combine with OPA/Gatekeeper policies to block deployments with known CVEs until review passes.
References
Suggested Reading
PostHashID: 2552819ba979a7c8b11aa82fb3adeea9a9ad8f9e178e163214b7c22b167d9efa
