Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-62878 is a critical path traversal vulnerability in the Rancher local-path-provisioner component. It occurs because the parameter 'parameters.pathPattern' used in Kubernetes StorageClass definitions is not properly validated. A malicious user can manipulate this parameter to include relative path elements like '../../../../../etc/new-dir', which allows the creation of PersistentVolumes pointing to arbitrary locations on the host node outside the intended base directory."}, {'type': 'paragraph', 'content': 'This improper validation enables attackers to overwrite sensitive files or gain unauthorized access to directories on the host system, which should normally be protected.'}, {'type': 'paragraph', 'content': "The vulnerability is addressed in version 0.0.34 and later by implementing validation and normalization of the 'parameters.pathPattern' to prevent path traversal attempts."}] [1, 2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves inspecting Kubernetes StorageClass definitions for the use of the `parameters.pathPattern` field containing relative path elements such as `..` that allow directory traversal.'}, {'type': 'paragraph', 'content': 'You can check for potentially malicious or unsafe path patterns by querying your Kubernetes cluster for StorageClasses and examining their parameters. For example, use the following command to list StorageClasses and filter for suspicious pathPattern values:'}, {'type': 'list_item', 'content': "kubectl get storageclass -o jsonpath='{range .items[*]}{.metadata.name}: {.parameters.pathPattern}\\n{end}' | grep '\\.\\.'"}, {'type': 'paragraph', 'content': 'This command lists all StorageClasses and their pathPattern parameters, then filters for any that contain `..` sequences indicating possible path traversal attempts.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring PersistentVolumes that are created outside the expected base directory on the host node can help detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the Rancher local-path-provisioner to version 0.0.34 or later, where the vulnerability is fixed by validating and normalizing the `parameters.pathPattern` to prevent path traversal.

No patches or workarounds exist for earlier versions, so upgrading is essential to prevent exploitation.

After upgrading, review existing StorageClass definitions to ensure no malicious or unsafe pathPattern values remain.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive files and directories on the host node, potentially leading to data breaches or system compromise.

An attacker can overwrite critical files or access unintended directories by creating PersistentVolumes in arbitrary locations, which can compromise confidentiality, integrity, and availability of the system.

The CVSS v3.1 base score of 9.9 reflects the high severity, indicating that the attack can be performed remotely with low complexity and low privileges, without user interaction, and can cause significant damage.

Useful 0 Not Useful 0