CVE-2025-23388

Name of the Vulnerable Software and Affected Versions Rancher versions 2.8.0 through 2.8.12 Rancher versions 2.9.0 through 2.9.6 Rancher versions 2.10.0 through 2.10.2

Description The issue is related to an unauthenticated stack overflow in the /v3-public/authproviders API endpoint, which can lead to a denial of service (DoS) and potentially allow an attacker to impersonate any other user by manipulating cookies. This vulnerability affects users of external authentication providers as well as Rancher's local authentication. The estimated number of potentially affected devices is not specified.

Recommendations For Rancher versions 2.8.0 through 2.8.12, update to version 2.8.13 or later. For Rancher versions 2.9.0 through 2.9.6, update to version 2.9.7 or later. For Rancher versions 2.10.0 through 2.10.2, update to version 2.10.3 or later. As a temporary workaround, consider restricting access to the /v3-public/authproviders API endpoint until a patch is applied.