Plattform
go
Komponente
github.com/rancher/local-path-provisioner
Behoben in
0.0.34
0.0.34
CVE-2025-62878 is a critical Path Traversal vulnerability discovered in the Rancher Local Path Provisioner, a Kubernetes storage provisioner. This flaw allows malicious users to manipulate storage class parameters to create PersistentVolumes in arbitrary locations on the host node, potentially leading to data corruption or unauthorized access. The vulnerability impacts versions prior to 0.0.34, and a fix has been released in version 0.0.34.
The core of the vulnerability lies in the improper validation of the parameters.pathPattern parameter within the Rancher Local Path Provisioner. An attacker can craft a malicious Kubernetes StorageClass definition, leveraging path traversal sequences (e.g., ../..) to specify PersistentVolume creation locations outside of the intended directory. This could allow them to overwrite critical system files on the host node, escalate privileges, or gain access to sensitive data. The potential impact extends beyond simple data corruption; successful exploitation could compromise the entire Kubernetes node and potentially lead to cluster-wide breaches. This vulnerability shares similarities with other path traversal exploits where attackers leverage predictable file system structures to bypass access controls.
CVE-2025-62878 has been published and is considered a high-severity vulnerability. While no public exploits have been widely reported, the ease of exploitation and the potential impact make it a significant concern. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation. The vulnerability was disclosed on 2026-02-04.
Kubernetes clusters utilizing the Rancher Local Path Provisioner are at risk, particularly those with misconfigured storage class definitions or environments where users have the ability to modify storage class parameters. Shared Kubernetes environments and those with legacy storage class configurations are especially vulnerable.
• linux / server:
journalctl -u local-path-provisioner --grep 'pathPattern='• linux / server:
find /var/lib/kubelet/pods -name '*pathPattern=*'• generic web:
Inspect Kubernetes storage class configurations for unusual or suspicious pathPattern values. Look for patterns that include relative path components (e.g., ../).
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-62878 is to immediately upgrade the Rancher Local Path Provisioner to version 0.0.34 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter Kubernetes NetworkPolicies to restrict access to the Local Path Provisioner service. Additionally, implement robust monitoring and auditing of PersistentVolume creation events to detect any suspicious activity. While a WAF is unlikely to directly address this vulnerability, it can be configured to monitor for unusual StorageClass definitions containing path traversal sequences. After upgrading, verify the fix by attempting to create a PersistentVolume with a malicious pathPattern and confirming that the creation fails with an appropriate error message.
Aktualisieren Sie den Local Path Provisioner auf Version 0.0.34 oder höher. Diese Version behebt die Path-Traversal-Schwachstelle. Das Update verhindert, dass böswillige Benutzer den Parameter pathPattern manipulieren, um auf beliebige Speicherorte auf dem Host-Knoten zuzugreifen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62878 is a critical vulnerability in Rancher Local Path Provisioner allowing attackers to create PersistentVolumes in arbitrary locations, potentially overwriting files.
You are affected if you are using Rancher Local Path Provisioner versions prior to 0.0.34 and are able to modify storage class parameters.
Upgrade to Rancher Local Path Provisioner version 0.0.34 or later. Implement stricter input validation on the parameters.pathPattern if immediate upgrade is not possible.
As of now, there are no known public exploits or active campaigns targeting CVE-2025-62878, but its critical severity warrants prompt patching.
Refer to the Rancher security advisory for detailed information and updates regarding CVE-2025-62878: [https://github.com/rancher/local-path-provisioner/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.