CVE-2025-68476
Unknown Unknown - Not Provided
Arbitrary File Read in KEDA TriggerAuthentication Enables Data Exfiltration

Publication date: 2025-12-22

Last updated on: 2025-12-22

Assigner: GitHub, Inc.

Description
KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authentication. The vulnerability stems from an incorrect or insufficient path validation when loading the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount. An attacker with permissions to create or modify a TriggerAuthentication resource can exfiltrate the content of any file from the node's filesystem (where the KEDA pod resides) by directing the file's content to a server under their control, as part of the Vault authentication request. The potential impact includes the exfiltration of sensitive system information, such as secrets, keys, or the content of files like /etc/passwd. This issue has been patched in versions 2.17.3 and 2.18.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-22
Last Modified
2025-12-22
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68476
EUVD
EUVD-2025-204753
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
keda keda *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Arbitrary File Read issue in KEDA's handling of Kubernetes service account tokens used for HashiCorp Vault authentication. Specifically, before versions 2.17.3 and 2.18.3, KEDA did not properly validate the file paths when loading the service account token specified in the TriggerAuthentication resource. An attacker with permissions to create or modify TriggerAuthentication resources can exploit this by specifying arbitrary file paths, causing KEDA to read and exfiltrate any file from the node's filesystem where the KEDA pod runs. This could include sensitive files like /etc/passwd. The vulnerability arises from insufficient path validation and has been fixed by adding strict validation of the service account tokens to ensure they are valid Kubernetes tokens before use. [1, 2]

Impact Analysis

If exploited, this vulnerability can lead to the exfiltration of sensitive system information from the node's filesystem where the KEDA pod resides. This includes secrets, keys, or critical system files such as /etc/passwd. The attacker needs high privileges to create or modify TriggerAuthentication resources but can then remotely cause the KEDA pod to read arbitrary files and send their contents to an attacker-controlled server. This results in a high confidentiality impact, potentially exposing sensitive data, but does not affect system integrity or availability. [2]

Detection Guidance

You can detect if your system is vulnerable by checking the version of the KEDA operator image deployed in your Kubernetes cluster. Versions prior to 2.17.3, 2.18.3, or below 2.19.0 are vulnerable. A command to check the KEDA operator version could be: kubectl -n keda get deployment keda-operator -o jsonpath='{.spec.template.spec.containers[0].image}'. This will show the image version. If the version is older than the patched versions, your system is vulnerable. Additionally, monitoring for creation or modification of TriggerAuthentication resources with suspicious or unusual file paths in the spec.hashiCorpVault.credential.serviceAccount field can help detect exploitation attempts. [2]

Mitigation Strategies

The immediate mitigation steps are: 1) Upgrade KEDA to version 2.17.3, 2.18.3, or any version from 2.19.0 onward where the vulnerability is patched. 2) Implement strict RBAC controls to limit who can create or modify TriggerAuthentication resources, ensuring only trusted users have these permissions. These steps prevent exploitation by removing the vulnerable code and restricting the ability to create malicious TriggerAuthentication resources. [2]

Compliance Impact

The vulnerability allows an attacker with high privileges to exfiltrate sensitive files from the node's filesystem, potentially including secrets and keys. This unauthorized disclosure of sensitive information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access. Therefore, exploitation of this vulnerability may result in violations of these standards due to confidentiality breaches. Mitigation involves patching and strict RBAC controls to limit permissions. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68476. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart