CVE-2025-7195

Name of the Vulnerable Software and Affected Versions Operator-SDK versions prior to 0.15.2

Description Early versions of Operator-SDK included an insecure method for operator containers to run in environments utilizing a random UID. A script, user setup, modified the permissions of the /etc/passwd file to 664 during build time. An attacker executing commands within an affected container, even as a non-root user, could leverage root group membership to modify the /etc/passwd file. This could allow the addition of a new user with an arbitrary UID, potentially including UID 0, resulting in full root privileges within the container.

Recommendations Update to Operator-SDK version 0.15.2 or later. If using an older version, ensure the insecure user setup script is not used during container image builds.