Unknown · Kubernetes · CVE-2025-1767
Name of the Vulnerable Software and Affected Versions:
Kubernetes (affected versions not specified)
Description:
The issue affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable. A user with create pod permission can exploit gitRepo volumes to access local git repositories belonging to other pods on the same node.
Recommendations:
To mitigate the issue, use an init container to execute the git clone operation and then mount the directory in the main container.
For example, create a pod with an init container that clones the git repository and then mounts the repository in the main container:
apiVersion: v1
kind: Pod
metadata:
name: git-repo-demo
spec:
initContainers:
- name: git-clone
image: alpine/git
args:
- clone
- --single-branch
- --
- https://github.com/kubernetes/kubernetes
- /repo
volumeMounts:
- name: git-repo
mountPath: /repo
containers:
- name: busybox
image: busybox
args: ['sleep','100000']
volumeMounts:
- name: git-repo
mountPath: /repo
volumes:
- name: git-repo
emptyDir: {}
Alternatively, restrict the use of the gitRepo volume with policies such as ValidatingAdmissionPolicy or Restricted pod security standard.