CVE-2025-68476
Arbitrary File Read in KEDA TriggerAuthentication Enables Data Exfiltration
Publication date: 2025-12-22
Last updated on: 2025-12-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keda | keda | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Arbitrary File Read issue in KEDA's handling of Kubernetes service account tokens used for HashiCorp Vault authentication. Specifically, before versions 2.17.3 and 2.18.3, KEDA did not properly validate the file paths when loading the service account token specified in the TriggerAuthentication resource. An attacker with permissions to create or modify TriggerAuthentication resources can exploit this by specifying arbitrary file paths, causing KEDA to read and exfiltrate any file from the node's filesystem where the KEDA pod runs. This could include sensitive files like /etc/passwd. The vulnerability arises from insufficient path validation and has been fixed by adding strict validation of the service account tokens to ensure they are valid Kubernetes tokens before use. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to the exfiltration of sensitive system information from the node's filesystem where the KEDA pod resides. This includes secrets, keys, or critical system files such as /etc/passwd. The attacker needs high privileges to create or modify TriggerAuthentication resources but can then remotely cause the KEDA pod to read arbitrary files and send their contents to an attacker-controlled server. This results in a high confidentiality impact, potentially exposing sensitive data, but does not affect system integrity or availability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect if your system is vulnerable by checking the version of the KEDA operator image deployed in your Kubernetes cluster. Versions prior to 2.17.3, 2.18.3, or below 2.19.0 are vulnerable. A command to check the KEDA operator version could be: kubectl -n keda get deployment keda-operator -o jsonpath='{.spec.template.spec.containers[0].image}'. This will show the image version. If the version is older than the patched versions, your system is vulnerable. Additionally, monitoring for creation or modification of TriggerAuthentication resources with suspicious or unusual file paths in the spec.hashiCorpVault.credential.serviceAccount field can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps are: 1) Upgrade KEDA to version 2.17.3, 2.18.3, or any version from 2.19.0 onward where the vulnerability is patched. 2) Implement strict RBAC controls to limit who can create or modify TriggerAuthentication resources, ensuring only trusted users have these permissions. These steps prevent exploitation by removing the vulnerable code and restricting the ability to create malicious TriggerAuthentication resources. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with high privileges to exfiltrate sensitive files from the node's filesystem, potentially including secrets and keys. This unauthorized disclosure of sensitive information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access. Therefore, exploitation of this vulnerability may result in violations of these standards due to confidentiality breaches. Mitigation involves patching and strict RBAC controls to limit permissions. [2]