N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64171

GHSA ID

GHSA-gf93-xccm-5g6j

EPSS Score

CWE

CWE-862

Published

11/4/2025

Updated

11/4/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64171

CVE-2025-64171: MARIN3R: Cross-Namespace Vulnerability in the Operator

Summary

Cross-namespace Secret access vulnerability in DiscoveryServiceCertificate allows users to bypass RBAC and access Secrets in unauthorized namespaces.

Affected Versions

All versions prior to v0.13.4

Patched Versions

v0.13.4 and later

Impact

Users with permission to create DiscoveryServiceCertificate resources in one namespace can indirectly read Secrets from other namespaces, completely bypassing Kubernetes RBAC security boundaries.

Workarounds

Restrict DiscoveryServiceCertificate create permissions to cluster administrators only until patched version is deployed.

Credit

Thanks to @debuggerchen for the responsible disclosure.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64171

CVE-2025-64171:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64171

GHSA ID

GHSA-gf93-xccm-5g6j

EPSS Score

CWE

CWE-862

Published

11/4/2025

Updated

11/4/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/3scale-sre/marin3r	go	<= 0.13.3	0.13.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security patch commit c60246a43ae8c0c38dd7267f298d68a121a159fa clearly indicates that the vulnerability lies within the getIssuerCertificate function of the CertificateProvider struct, located in internal/pkg/reconcilers/operator/discoveryservicecertificate/providers/marin3r/crud.go. Before the patch, the function directly used the namespace provided in the DiscoveryServiceCertificate's spec.signer.caSigned.secretRef.namespace field to fetch a Kubernetes Secret. This allowed a user who could create a DiscoveryServiceCertificate in a given namespace to craft a resource that points to a Secret in a different, unauthorized namespace, thereby bypassing RBAC. The patch rectifies this by introducing a validation step that compares the namespace of the DiscoveryServiceCertificate resource with the namespace specified in the secretRef. If the namespaces do not match, the operation is aborted, and an error is returned. Therefore, the getIssuerCertificate function is the exact location of the vulnerability, as it was responsible for processing the malicious input (the cross-namespace secret reference).

Vulnerable functions

CertificateProvider.getIssuerCertificate

internal/pkg/reconcilers/operator/discoveryservicecertificate/providers/marin3r/crud.go

The function `getIssuerCertificate` was vulnerable because it did not validate that the namespace of the referenced secret was the same as the namespace of the DiscoveryServiceCertificate resource. This allowed a user with permissions to create a DiscoveryServiceCertificate in one namespace to access secrets in any other namespace by specifying a different namespace in the `secretRef`. The patch adds a check to ensure the namespaces match, preventing the cross-namespace access.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64171: MARIN3R: Cross-Namespace Vulnerability in the Operator

Summary

Affected Versions

Patched Versions

Impact

Workarounds

Credit

CVE-2025-64171:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

N/A

N/A

CVE-2025-64171: MARIN3R: Cross-Namespace Vulnerability in the Operator

Summary

Affected Versions

Patched Versions

Impact

Workarounds

Credit

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI