Kubernetes creates PersistentVolumes anywhere

Exploitation confirmed - public proof-of-concept - CVE-2025-62878 is a critical path traversal vulnerability in the storage volume management component that lets standard users mount host system directories, enabling file overwrite, secret theft, and privilege escalation. Apply the vendor patch without delay.

Overview

A critical security vulnerability has been identified in a system component that manages storage volumes. This flaw allows an attacker with standard user permissions to create storage volumes that can be linked to any directory on the underlying host server. This could lead to severe system compromise.

Vulnerability Explanation

In simple terms, the system component that creates persistent storage volumes does not properly validate the file path provided by a user. Normally, these paths are restricted to safe, designated locations. This vulnerability allows a malicious actor to specify a custom path pattern (parameters.pathPattern) that points to critical system directories-such as those containing passwords, application secrets, or system binaries-instead of the intended storage area.

Potential Impact

The impact of this vulnerability is severe (CVSS: 9.9 - CRITICAL). A successful exploit could allow an attacker to:

• Destroy or Corrupt Data: Overwrite essential operating system or application files, causing system instability or a complete shutdown.
• Steal Sensitive Information: Mount host directories containing secrets, enabling the theft of passwords, API keys, or encryption certificates.
• Maintain Persistence: Create backdoor files in system locations to ensure continued access even if the initial point of entry is closed.
• Escalate Privileges: Potentially leverage access to host files to gain higher-level privileges on the node or cluster.

Remediation and Mitigation

Immediate action is required to protect your environment.

Primary Remediation: Apply the official patch provided by your vendor or the upstream project as soon as it is available. This is the only way to fully resolve the vulnerability. Consult your platform provider’s security bulletins (e.g., Kubernetes, cloud vendor, or distribution-specific advisories) for patched versions.

Immediate Mitigations (If Patching is Delayed):

1. Restrict Access: Use Role-Based Access Control (RBAC) to strictly limit which users or service accounts have permissions to create or update PersistentVolume objects. Apply the principle of least privilege.
2. Use Admission Controllers: If available, deploy a validating admission webhook to inspect and reject any PersistentVolume creation requests containing path patterns that point to sensitive host directories (e.g., /, /etc, /var/run/secrets).
3. Network Policies: Isolate affected systems and restrict network access to the management API to only trusted sources.
4. Audit Logs: Review audit logs for any unexpected or unauthorized creation of PersistentVolumes, particularly those with unusual or root-level paths in the pathPattern parameter.

General Advice: Always ensure your container orchestration platform and its components are kept up-to-date with the latest security releases. Regularly audit user permissions and cluster configurations.