CVE-2025-1767

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions: Kubernetes (affected versions not specified)

Description: The issue affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable. A user with create pod permission can exploit gitRepo volumes to access local git repositories belonging to other pods on the same node.

Recommendations: To mitigate the issue, use an init container to execute the git clone operation and then mount the directory in the main container. For example, create a pod with an init container that clones the git repository and then mounts the repository in the main container: apiVersion: v1 kind: Pod metadata: name: git-repo-demo spec: initContainers:

name: git-clone image: alpine/git args:
- clone
- --single-branch
- https://github.com/kubernetes/kubernetes
- /repo volumeMounts:
- name: git-repo mountPath: /repo containers:
name: busybox image: busybox args: ['sleep','100000'] volumeMounts:
- name: git-repo mountPath: /repo volumes:
name: git-repo emptyDir: {} Alternatively, restrict the use of the gitRepo volume with policies such as ValidatingAdmissionPolicy or Restricted pod security standard.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2025-02820

CLEANSTART-2026-KY75084

CLEANSTART-2026-TO88856

CVE-2025-1767

ECHO-02EA-798C-F000

GHSA-3WGM-2GW2-VH5M

GO-2025-3521

OPENSUSE-SU-2025:14924-1

OPENSUSE-SU-2025:14925-1

OPENSUSE-SU-2025:14926-1

OPENSUSE-SU-2025:14927-1

OPENSUSE-SU-2025:14937-1

Affected Products

Kubernetes

CVE-2025-1767

Weakness Enumeration

Related Identifiers

Affected Products

References · 105