Platform
go
Component
github.com/rancher/local-path-provisioner
Fixed in
0.0.34
0.0.34
CVE-2025-62878 is a critical Path Traversal vulnerability discovered in the Rancher Local Path Provisioner, a Kubernetes storage provisioner. This flaw allows malicious users to manipulate storage class parameters to create PersistentVolumes in arbitrary locations on the host node, potentially leading to data corruption or unauthorized access. The vulnerability impacts versions prior to 0.0.34, and a fix has been released in version 0.0.34.
The primary impact of CVE-2025-62878 is the ability for an attacker to gain unauthorized access to sensitive files or directories on the Kubernetes host node. By crafting malicious storage class configurations, specifically manipulating the parameters.pathPattern, an attacker can dictate where PersistentVolumes are created. This could involve overwriting critical system files, injecting malicious code, or accessing data stored in unintended locations. The blast radius extends to any data stored on PersistentVolumes created using vulnerable storage class configurations. This vulnerability shares similarities with other path traversal exploits where attackers leverage predictable directory structures to bypass access controls.
CVE-2025-62878 was publicly disclosed on 2026-02-04. The vulnerability's severity is rated as CRITICAL (CVSS 9.9). As of this writing, there are no known public exploits or active campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. The availability of a relatively straightforward exploit path, combined with the critical severity, warrants close attention and prompt patching.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62878 is to upgrade the Rancher Local Path Provisioner to version 0.0.34 or later. If an immediate upgrade is not feasible, consider implementing stricter input validation on the parameters.pathPattern within your storage class configurations. This could involve whitelisting allowed characters or enforcing a specific directory structure. While not a complete solution, a Web Application Firewall (WAF) configured to block requests with suspicious path patterns could offer some protection. Monitor Kubernetes audit logs for unusual PersistentVolume creation events, particularly those involving unexpected paths.
Update the Local Path Provisioner to version 0.0.34 or higher. This version fixes the path traversal vulnerability. The update will prevent malicious users from manipulating the pathPattern parameter to access arbitrary locations on the host node.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62878 is a critical vulnerability in Rancher Local Path Provisioner allowing attackers to create PersistentVolumes in arbitrary locations, potentially overwriting files.
You are affected if you are using Rancher Local Path Provisioner versions prior to 0.0.34 and are able to modify storage class parameters.
Upgrade to Rancher Local Path Provisioner version 0.0.34 or later. Implement stricter input validation on the parameters.pathPattern if immediate upgrade is not possible.
As of now, there are no known public exploits or active campaigns targeting CVE-2025-62878, but its critical severity warrants prompt patching.
Refer to the Rancher security advisory for detailed information and updates regarding CVE-2025-62878: [https://github.com/rancher/local-path-provisioner/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.