CVE-2025-68476: KEDA has Arbitrary File Read via Insufficient Path Validation in HashiCorp Vault Service Account Credential

December 22, 2025 (updated December 23, 2025)

An Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authentication.

The vulnerability stems from an incorrect or insufficient path validation when loading the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount.

An attacker with permissions to create or modify a TriggerAuthentication resource can exfiltrate the content of any file from the node’s filesystem (where the KEDA pod resides) by directing the file’s content to a server under their control, as part of the Vault authentication request.

The potential impact includes the exfiltration of sensitive system information, such as secrets, keys, or the content of files like /etc/passwd.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-68476 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →