CVE-2025-53542

Name of the Vulnerable Software and Affected Versions: Headlamp versions prior to 0.31.1

Description: Headlamp is an extensible Kubernetes web UI. A command injection issue exists in the codeSign.js script used during the macOS packaging workflow. This is due to the improper use of the execSync() function with unsanitized input from environment variables. The variables ${teamID}, ${entitlementsPath}, and ${config.app} are dynamically derived and passed to shell commands without proper escaping or argument separation, potentially allowing command injection if these values contain malicious input.

Recommendations: Update to Headlamp version 0.31.1 or later.