Executive Summary

CVE-2025-7445 is a vulnerability in Kubernetes secrets-store-sync-controller versions before 0.0.2 where service account tokens are accidentally logged when there is an error marshaling parameters sent to external cloud providers. These logged tokens could be accessed by an attacker with local access to the logs, who could then exchange the tokens with external cloud providers to gain unauthorized access to secrets stored in cloud vault solutions, posing a confidentiality risk. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by exposing service account tokens in logs, which an attacker with local access could use to access sensitive secrets stored in cloud vaults. This leads to a high confidentiality impact, potentially allowing unauthorized access to sensitive information without affecting system integrity or availability. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

Administrators can detect this vulnerability by checking the manager container logs for entries containing service account tokens. The suggested command is: kubectl logs -l 'app.kubernetes.io/part-of=secrets-store-sync-controller' -c manager -f | grep --line-buffered "csi.storage.k8s.io/serviceAccount.tokens". Additionally, detection can be enhanced by examining cloud provider logs for unexpected token exchanges and unauthorized access to cloud vault secrets. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the secrets-store-sync-controller to version 0.0.2 or later, where the vulnerability has been fixed. [1, 2]

Useful 0 Not Useful 0