CVE-2025-47281: Unpatched Type Assertion Panic in release-1.13 Wildcard Engine Despite Available Fix

A critical type assertion vulnerability tracked as CVE-2025-47281 remains unmitigated on the `release-1.13` branch despite a merged upstream fix. The flaw exists in `pkg/engine/wildcards/wildcards.go` within the `getValueAsStringMap()` function, where an unguarded type assertion—`result[k] = v.(string)`—triggers a runtime panic when encountering non-string values in pattern maps. An audit of vulnerability backports surfaced the unpatched flaw, raising serious concerns about denial-of-service exposure across deployments still running the stable release.

The upstream resolution (commit `cbd7d4ca24`) replaces the vulnerable assertion with a nil-skip guard and a `switch typedVal := v.(type)` construct that falls through to `default: continue`. This allows the engine to gracefully skip non-string values—numbers, booleans, nested maps—rather than crashing. However, the old line persists verbatim on `release-1.13`, meaning any crafted resource whose pattern map contains a non-string value will reliably panic the engine wildcard replacer. Attackers or malicious automation could exploit this to disrupt workloads by injecting specially formatted resources.

The exposure is concentrated in environments pinned to `release-1.13` and any downstream forks that have not pulled the upstream fix. Operators should prioritize auditing resource admission pipelines for untrusted pattern maps and consider temporary mitigations such as schema validation at intake. The absence of this patch on a stable branch—while the fix sits merged upstream—signals a potential gap in release management practices that could expose production systems to easily triggered crashes.