CVE-2025-62159
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-10-14

Assigner: GitHub, Inc.

Description
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously retrieved Kubernetes secrets directly, without validating the namespace context or the type of secret store. This allowed unauthorized cross-namespace secret access, violating security boundaries and potentially exposing sensitive credentials. In version 0.20.0, the provider code was updated to use the `resolvers.SecretKeyRef` utility, which enforces namespace validation and only allows cross-namespace access for `ClusterSecretStore` types. This ensures secrets are only retrieved from the correct namespace, mitigating the risk of unauthorized access. All users should upgrade to the latest version containing this fix. As a workaround, use a policy engine such as Kyverno or OPA to prevent using BeyondTrust provider and/or validate the `(Cluster)SecretStore` and ensure the namespace may only be set when using a `ClusterSecretStore`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-10-14
Generated
2026-05-07
AI Q&A
2025-10-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-62159
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
beyondtrust external_secrets_operator 0.20.0
beyondtrust external_secrets_operator 0.19.2
beyondtrust external_secrets_operator 0.10.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider retrieved Kubernetes secrets directly without validating the namespace context or the type of secret store. This flaw allowed unauthorized access to secrets across different namespaces, breaking security boundaries and potentially exposing sensitive credentials. The issue was fixed in version 0.20.0 by enforcing namespace validation and restricting cross-namespace access to only certain secret store types.


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized cross-namespace access to Kubernetes secrets, which means an attacker or unauthorized user could access sensitive credentials or secrets from other namespaces. This exposure can compromise the security of applications and systems relying on those secrets, potentially leading to data breaches or unauthorized actions within the Kubernetes environment.


What immediate steps should I take to mitigate this vulnerability?

Upgrade the External Secrets Operator BeyondTrust provider to version 0.20.0 or later, which includes the fix enforcing namespace validation. As a workaround, implement a policy engine such as Kyverno or OPA to prevent usage of the BeyondTrust provider and/or validate the (Cluster)SecretStore to ensure namespaces are only set when using a ClusterSecretStore.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart