CVE-2025-54469

Name of the Vulnerable Software and Affected Versions NeuVector versions prior to 5.4.7

Description A critical issue exists in NeuVector where the enforcer component improperly handles environment variables CLUSTER RPC PORT and CLUSTER LAN PORT. These variables are used to construct shell commands executed via the popen() function without proper validation or sanitization. This allows a malicious user who can modify these environment variables to inject arbitrary commands within the enforcer container. The vulnerability could lead to remote code execution. Approximately 829 instances have been identified via ZoomEye, and over 23,600 services are found yearly. The vulnerability is exploitable by crafting malicious values for the CLUSTER RPC PORT and CLUSTER LAN PORT environment variables. The popen() function is used to execute shell commands to check the status of a consul subprocess. The lack of input validation on these environment variables allows for command injection.

Recommendations Upgrade to NeuVector version 5.4.7 or later.