ghsa-fcxq-v2r3-cc8h
Vulnerability from github
Published
2025-08-13 19:45
Modified
2025-08-14 13:31
Severity ?
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access
Details

Summary

A vulnerability was discovered in the External Secrets Operator where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector.
This flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions.

Impact

An attacker with the ability to create or update PushSecret resources and control SecretStore configurations could exploit this vulnerability to exfiltrate sensitive data from arbitrary namespaces.
This could lead to full disclosure of Kubernetes secrets, including credentials, tokens, and other sensitive information stored in the cluster.

Exploitability

To exploit this vulnerability, an attacker must:

  1. Have permissions to create or update PushSecret resources.
  2. Control one or more SecretStore resources.

With these conditions met, the attacker could leverage label selectors to list secrets from any namespace and retrieve their contents.

Affected Versions

  • Vulnerable: v0.15.0 – v0.19.1
  • Not Vulnerable: v0.19.2 and later

Fix

The vulnerability was addressed in v0.19.2 by adding namespace restrictions to the List() calls for both PushSecret and SecretStore controllers.
This ensures that only secrets in the intended namespace are accessible.

Relevant fixes: - #5133 – Enforce namespace selector for PushSecret List() calls
- #5109 – Enforce namespace selector for SecretStore List() calls

Mitigation

If upgrading to v0.19.2 or later is not immediately possible, the following mitigations are recommended:

  • Restrict RBAC permissions so that only trusted service accounts can create or update PushSecret and SecretStore resources.
  • Audit existing PushSecret and SecretStore resources to ensure they are controlled by trusted parties.
  • Review Network Policies to prevent data exfiltration

Credit

This vulnerability was reported by @gracedo and @moolen

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/external-secrets/external-secrets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.15.0"
            },
            {
              "fixed": "0.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-13T19:45:15Z",
    "nvd_published_at": "2025-08-13T23:15:27Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nA vulnerability was discovered in the External Secrets Operator where the `List()` calls for Kubernetes Secret and SecretStore resources performed by the `PushSecret` controller did not apply a namespace selector.  \nThis flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions.\n\n---\n\n## Impact\nAn attacker with the ability to create or update `PushSecret` resources and control `SecretStore` configurations could exploit this vulnerability to exfiltrate sensitive data from arbitrary namespaces.  \nThis could lead to full disclosure of Kubernetes secrets, including credentials, tokens, and other sensitive information stored in the cluster.\n\n---\n\n## Exploitability\nTo exploit this vulnerability, an attacker must:\n\n1. Have permissions to create or update `PushSecret` resources.\n2. Control one or more `SecretStore` resources.\n\nWith these conditions met, the attacker could leverage label selectors to list secrets from any namespace and retrieve their contents.\n\n---\n\n## Affected Versions\n- **Vulnerable:** v0.15.0 \u2013 v0.19.1  \n- **Not Vulnerable:** v0.19.2 and later  \n\n---\n\n## Fix\nThe vulnerability was addressed in v0.19.2 by adding namespace restrictions to the `List()` calls for both `PushSecret` and `SecretStore` controllers.  \nThis ensures that only secrets in the intended namespace are accessible.\n\nRelevant fixes:\n- [#5133](https://github.com/external-secrets/external-secrets/pull/5133) \u2013 Enforce namespace selector for PushSecret `List()` calls  \n- [#5109](https://github.com/external-secrets/external-secrets/pull/5109) \u2013 Enforce namespace selector for SecretStore `List()` calls  \n\n---\n\n## Mitigation\nIf upgrading to v0.19.2 or later is not immediately possible, the following mitigations are recommended:\n\n- Restrict RBAC permissions so that only trusted service accounts can create or update `PushSecret` and `SecretStore` resources.  \n- Audit existing `PushSecret` and `SecretStore` resources to ensure they are controlled by trusted parties.  \n- Review Network Policies to prevent data exfiltration\n\n---\n\n## Credit\nThis vulnerability was reported by @gracedo and @moolen",
  "id": "GHSA-fcxq-v2r3-cc8h",
  "modified": "2025-08-14T13:31:03Z",
  "published": "2025-08-13T19:45:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/external-secrets/external-secrets/security/advisories/GHSA-fcxq-v2r3-cc8h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55196"
    },
    {
      "type": "WEB",
      "url": "https://github.com/external-secrets/external-secrets/pull/5109"
    },
    {
      "type": "WEB",
      "url": "https://github.com/external-secrets/external-secrets/pull/5133"
    },
    {
      "type": "WEB",
      "url": "https://github.com/external-secrets/external-secrets/commit/39cdba5863533007b582dc63dd300839326b2f1d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/external-secrets/external-secrets/commit/de40e8f4fa9559c1d770bb674589b285da5ef2d1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/external-secrets/external-secrets"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "External Secrets Operator\u0027s Missing Namespace Restriction Allows Unauthorized Secret Access"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.