Miggo Logo
Miggo Vulnerability Database
CVE-2025-64171

CVE-2025-64171: MARIN3R: Cross-Namespace Vulnerability in the Operator

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-64171
GHSA ID
GHSA-gf93-xccm-5g6j
EPSS Score
-
CWE
CWE-862
Published
11/4/2025
Updated
11/4/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/3scale-sre/marin3rgo<= 0.13.30.13.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis of the security patch commit c60246a43ae8c0c38dd7267f298d68a121a159fa clearly indicates that the vulnerability lies within the getIssuerCertificate function of the CertificateProvider struct, located in internal/pkg/reconcilers/operator/discoveryservicecertificate/providers/marin3r/crud.go. Before the patch, the function directly used the namespace provided in the DiscoveryServiceCertificate's spec.signer.caSigned.secretRef.namespace field to fetch a Kubernetes Secret. This allowed a user who could create a DiscoveryServiceCertificate in a given namespace to craft a resource that points to a Secret in a different, unauthorized namespace, thereby bypassing RBAC. The patch rectifies this by introducing a validation step that compares the namespace of the DiscoveryServiceCertificate resource with the namespace specified in the secretRef. If the namespaces do not match, the operation is aborted, and an error is returned. Therefore, the getIssuerCertificate function is the exact location of the vulnerability, as it was responsible for processing the malicious input (the cross-namespace secret reference).

Vulnerable functions

CertificateProvider.getIssuerCertificate
internal/pkg/reconcilers/operator/discoveryservicecertificate/providers/marin3r/crud.go
The function `getIssuerCertificate` was vulnerable because it did not validate that the namespace of the referenced secret was the same as the namespace of the DiscoveryServiceCertificate resource. This allowed a user with permissions to create a DiscoveryServiceCertificate in one namespace to access secrets in any other namespace by specifying a different namespace in the `secretRef`. The patch adds a check to ensure the namespaces match, preventing the cross-namespace access.

WAF Protection Rules

WAF Rule

## Summ*ry *ross-n*m*sp*** S**r*t ****ss vuln*r**ility in *is*ov*ryS*rvi****rti*i**t* *llows us*rs to *yp*ss R*** *n* ****ss S**r*ts in un*ut*oriz** n*m*sp***s. ## *****t** V*rsions *ll v*rsions prior to v*.**.* ## P*t**** V*rsions v*.**.* *n* l*t

Reasoning

T** *n*lysis o* t** s**urity p*t** *ommit `****************************************` *l**rly in*i**t*s t**t t** vuln*r**ility li*s wit*in t** `**tIssu*r**rti*i**t*` *un*tion o* t** `**rti*i**t*Provi**r` stru*t, lo**t** in `int*rn*l/pk*/r**on*il*rs/op