Vulnerabilities Identified in VPA release 1.3.0

[san4ever]

Hi Team,
We identified for the latest VPA 1.3.0 release

registry.k8s.io/autoscaling/vpa-admission-controller
registry.k8s.io/autoscaling/vpa-updater
registry.k8s.io/autoscaling/vpa-recommender
These images got impacted with below list of vulnerabilities.

CVE-2025-22868
CVE-2025-22870
CVE-2025-22866

We would appreciate if you review and provide any timelines to release new version of VPA that remediates these vulnerabilities.

Regards
Sandeep

[raywainman]

Thanks for raising this. We were just discussing cutting a new VPA release, I anticipate that happening in the next week or so.

/assign raywainman

[raywainman]

This should be fixed by #8029 which addresses CVE-2025-22870. I believe the other CVEs have been covered by various other dependency bumps.

[adrianmoisey]

/area vertical-pod-autoscaler

[raywainman]

Will be included in 1.4.0 release which I'm working on now as part of https://github.com/kubernetes/autoscaler/milestone/13.