CVE-2025-62878: Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern
A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.
Example:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{},"name":"local-path"},"provisioner":"rancher.io/local-path","reclaimPolicy":"Delete","volumeBindingMode":"WaitForFirstConsumer"}
storageclass.kubernetes.io/is-default-class: 'true'
name: local-path
provisioner: rancher.io/local-path
reclaimPolicy: Delete
parameters:
pathPattern: "{{ .PVC.Namespace }}/{{ .PVC.Name }}/../../../../../etc/new-dir"
volumeBindingMode: WaitForFirstConsumer
Results in the PersistentVolume to target /etc/new-dir:
This produces a PersistentVolume that points to /etc/new-dir, instead of a path under the configured base directory.
Expected Behavior:
- Paths generated from pathPattern should always resolve under the configured base path.
- Relative path elements (e.g., ..) should be normalized or rejected.
References
- github.com/advisories/GHSA-jr3w-9vfr-c746
- github.com/rancher/local-path-provisioner
- github.com/rancher/local-path-provisioner/blob/d4f71b4b03a321e9f54be00808e9de42b8bfd35a/provisioner.go
- github.com/rancher/local-path-provisioner/security/advisories/GHSA-jr3w-9vfr-c746
- nvd.nist.gov/vuln/detail/CVE-2025-62878
Code Behaviors & Features
Detect and mitigate CVE-2025-62878 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →