Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-62878

Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern
Back to all
CVE

CVE-2025-62878

Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern

Impact

A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.

Example:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{},"name":"local-path"},"provisioner":"rancher.io/local-path","reclaimPolicy":"Delete","volumeBindingMode":"WaitForFirstConsumer"}
    storageclass.kubernetes.io/is-default-class: 'true'
  name: local-path
provisioner: rancher.io/local-path
reclaimPolicy: Delete
parameters:
  pathPattern: "{{ .PVC.Namespace }}/{{ .PVC.Name }}/../../../../../etc/new-dir"
volumeBindingMode: WaitForFirstConsumer
Results in the PersistentVolume to target /etc/new-dir:

This produces a PersistentVolume that points to /etc/new-dir, instead of a path under the configured base directory.

Expected Behavior:

  • Paths generated from pathPattern should always resolve under the configured base path.
  • Relative path elements (e.g., ..) should be normalized or rejected.

Patches

This vulnerability is addressed by validating and normalizing the parameters.pathPattern to ensure that generated PersistentVolume paths always resolve under the configured base directory. Any path traversal attempts using relative path elements are rejected, preventing PersistentVolumes from being created in arbitrary locations on the host node.

Previously, a malicious user could manipulate pathPattern to escape the base path and create volumes pointing to sensitive or unintended directories (for example, /etc), potentially overwriting host files or gaining unauthorized access.

With this fix, path patterns that resolve outside of the base directory are denied, and only safe, normalized paths under the configured base path are allowed.

Patched versions of local-path-provisioner include releases v0.0.34 (and later).

No patches are provided for earlier releases, as they do not include the necessary path validation and normalization logic.

Workarounds

There are no workarounds for this issue. Users must upgrade to a patched version of local-path-provisioner to fully mitigate the vulnerability.

References

There are any questions or comments about this advisory:

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
C
H
U
10
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/rancher/local-path-provisioner/security/advisories/GHSA-jr3w-9vfr-c746, https://github.com/rancher/local-path-provisioner, https://github.com/rancher/local-path-provisioner/blob/d4f71b4b03a321e9f54be00808e9de42b8bfd35a/provisioner.go#L381

Severity

9.9

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.9
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0,v0.0.29,v0.0.0-20240526234038-af85381fd304
Fix Available
0.0.34,v0.0.34,v0.0.0-20260106050704-7e533e32a169

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading