Advisories for Maven/Com.linecorp.armeria/Armeria-Xds package

2026

Armeria: External Control of File Name or Path in xDS SDS DataSource

DataSourceStream in the :xds module resolves control-plane-supplied filename and environment_variable fields from SDS Secret resources without any allow-list or base-directory confinement. A semi-trusted or compromised xDS control plane (or an attacker who can MITM SDS responses) can read arbitrary local files and environment variables on the xDS client host. Affected component: xds/src/main/java/com/linecorp/armeria/xds/DataSourceStream.java Introduced in: Armeria 1.38.0 (commit b199560b10, "Add support for SDS", #6597) Affected versions: 1.38.0, 1.39.0