CVE-2025-62878

Name of the Vulnerable Software and Affected Versions rancher.io/local-path-provisioner versions prior to 0.0.34

Description A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories. The issue stems from insufficient validation and normalization of the parameters.pathPattern, allowing path traversal attempts using relative path elements. This can lead to PersistentVolumes being created outside the configured base directory, such as targeting /etc/new-dir instead of a path within the expected base path. The fix involves validating and normalizing the parameters.pathPattern to ensure generated PersistentVolume paths always resolve under the configured base directory, rejecting any path traversal attempts.

Recommendations Upgrade to local-path-provisioner version 0.0.34 or later to resolve this issue. There are no workarounds available; upgrading is required for full mitigation.