N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62714

GHSA ID

GHSA-5qjg-9mjh-4r92

EPSS Score

CWE

CWE-862

Published

10/24/2025

Updated

10/24/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62714

CVE-2025-62714: Karmada Dashboard API Unauthorized Access Vulnerability

Impact

This is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/service) did not enforce authentication, allowing unauthenticated users to access sensitive cluster information such as Secrets and Services directly. Although the web UI required a valid JWT for access, the API itself remained exposed to direct requests without any authentication checks. Any user or entity with network access to the Karmada Dashboard service could exploit this vulnerability to retrieve sensitive data.

Patches

The issue has been fixed in Karmada Dashboard v0.2.0. This release enforces authentication for all API endpoints. Users are strongly advised to upgrade to version v0.2.0 or later as soon as possible.

Workarounds

If upgrading is not immediately feasible, users can mitigate the risk by:

Restricting network access to the Karmada Dashboard service using Kubernetes Network Policies, firewall rules, or ingress controls.
Placing the Dashboard behind a reverse proxy that enforces authentication (e.g., OAuth2 proxy) to add an additional layer of security.

References

Karmada Dashboard v0.2.0 Release : https://github.com/karmada-io/dashboard/releases/tag/v0.2.0
Fix PR #271
Fix PR #280

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62714

CVE-2025-62714:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62714

GHSA ID

GHSA-5qjg-9mjh-4r92

EPSS Score

CWE

CWE-862

Published

10/24/2025

Updated

10/24/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/karmada-io/dashboard	go	< 0.2.0	0.2.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, GHSA-5qjg-9mjh-4r92, is an authentication bypass in the Karmada Dashboard API. My analysis of the provided patches confirms that the root cause was the complete absence of an authentication and authorization enforcement mechanism for the API endpoints under the /api/v1 path.

The primary fix was introduced in commit 1b3672eff4994dbe61cbb7cccaabd665a2d33ec5, which created a new AuthMiddleware. This middleware, applied in cmd/api/app/router/setup.go, ensures that every request to a v1 API endpoint has a valid Authorization token. Before this change, any function handling a route under /api/v1 was effectively public.

Furthermore, the handler functions themselves were using privileged in-cluster clients (e.g., client.InClusterKarmadaClient()) to interact with the Kubernetes and Karmada APIs. This meant that an unauthenticated request would be processed with the full permissions of the Karmada Dashboard's service account. The patches in commit a7defcd475486122eca5cfe18110b423a3c53851 refactored all API handlers to retrieve the API client from the request context, which is populated by the new ClientMiddleware using the credentials from the authenticated user's request. This ensures that even authenticated users can only perform actions they are authorized to.

The vulnerability description explicitly mentions endpoints like /api/v1/secret and /api/v1/service, which are handled by functions like handleGetSecrets and handleGetServices. These, along with numerous other handlers for different resource types (deployments, jobs, policies, etc.), were all vulnerable due to the missing middleware. Any of these function names would appear in a runtime profile during exploitation. The generateAPIProxy function was also patched to enforce authentication for proxied requests.

In summary, the identified vulnerable functions are the API handlers that, prior to the patch, were processing unauthenticated requests using privileged clients. The evidence is the widespread replacement of privileged client creation with context-aware client retrieval, enabled by the new authentication middleware.

Vulnerable functions

handleGetSecrets

cmd/api/app/routes/secret/handler.go

This function, which handles requests to list secrets, was exposed without authentication. An attacker could directly call the `/api/v1/secrets` endpoint to retrieve all secrets from the Karmada control plane's Kubernetes cluster, as the function previously used a privileged in-cluster client by default.

handleGetServices

cmd/api/app/routes/service/handler.go

This function, which handles requests to list services, was exposed without authentication. An attacker could directly call the `/api/v1/service` endpoint to list all services, gaining sensitive network information. The vulnerability existed because the endpoint lacked an authentication check and the handler used a privileged in-cluster client.

handleGetClusterList

cmd/api/app/routes/cluster/handler.go

This function lists all member clusters managed by Karmada. It was unprotected, allowing an unauthenticated attacker to enumerate all connected clusters, which could be a precursor to further attacks.

generateAPIProxy

cmd/web/app/web.go

This function serves as a reverse proxy for API requests. Prior to the patch, it did not validate the `Authorization` header, allowing unauthenticated requests to be forwarded to backend API services. This effectively created an authentication bypass for any API endpoint accessed through this proxy.

AuthMiddleware

cmd/api/app/router/middleware.go

This function was created as the primary fix for the vulnerability. Its purpose is to check for an `Authorization` token in the request header or query parameters. Before this middleware was introduced and applied to the `/api/v1` route group, all API endpoints under this path were unprotected and accessible without authentication.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62714: Karmada Dashboard API Unauthorized Access Vulnerability

Impact

Patches

Workarounds

References

CVE-2025-62714:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-62714: Karmada Dashboard API Unauthorized Access Vulnerability

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI