N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68476

CVE-2025-68476: KEDA has Arbitrary File Read via Insufficient Path Validation in HashiCorp Vault Service Account Credential

Impact

An Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authentication.

The vulnerability stems from an incorrect or insufficient path validation when loading the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount.

An attacker with permissions to create or modify a TriggerAuthentication resource can exfiltrate the content of any file from the node's filesystem (where the KEDA pod resides) by directing the file's content to a server under their control, as part of the Vault authentication request.

The potential impact includes the exfiltration of sensitive system information, such as secrets, keys, or the content of files like /etc/passwd.

Patches

The problem has been patched in v2.17.3 and 2.18.3 as well as in main branch.

Workarounds

The only effective workaround is the strict restriction of permissions for creating and modifying TriggerAuthentication resources within the Kubernetes cluster.

Only trusted and authorized users should have create or update permissions on the TriggerAuthentication resource.

This limits an attacker's ability to configure a malicious TriggerAuthentication with an arbitrary path.

Is my project affected?

If it execute s

kubectl get deploy keda-operator -n keda -o jsonpath="{.spec.template.spec.containers[0].image}"

and the version is not 2.17.3, 2.18.3 or >= 2.19.0, that version is affected.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68476

CVE-2025-68476:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/kedacore/keda/v2	go	>= 2.18.0, < 2.18.3	2.18.3
github.com/kedacore/keda/v2	go	< 2.17.3	2.17.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security vulnerability is an arbitrary file read in KEDA's HashiCorp Vault authentication mechanism. The root cause is insufficient validation of the file path provided for the Kubernetes Service Account token. The vulnerable function is github.com/kedacore/keda/v2/pkg/scaling/resolver.HashicorpVaultHandler.token.

Analysis of the patch commit 15c5677f65f809b9b6b59a52f4cf793db0a510fd reveals that the token function in pkg/scaling/resolver/hashicorpvault_handler.go was modified. Previously, the function used os.ReadFile to read the file specified in vh.vault.Credential.ServiceAccount, which is derived from the TriggerAuthentication resource. An attacker could set this to a path like /etc/passwd, and KEDA would read and send the content of this file to the Vault server during authentication.

The patch replaces the direct os.ReadFile call with a new function, readKubernetesServiceAccountProjectedToken. This new function, defined in the newly added pkg/scaling/resolver/k8s_validator.go file, reads the file but then calls validateK8sSAToken to verify its contents. The validation function checks if the file is a valid JWT and, crucially, if the 'sub' (subject) claim within the JWT starts with "system:serviceaccount:". This ensures that only legitimate Kubernetes Service Account tokens are processed, preventing the reading of arbitrary files.

Vulnerable functions

github.com/kedacore/keda/v2/pkg/scaling/resolver.HashicorpVaultHandler.token

pkg/scaling/resolver/hashicorpvault_handler.go

The 'token' function in the 'HashicorpVaultHandler' struct was vulnerable to an arbitrary file read. It directly used 'os.ReadFile' with a user-provided path from 'vh.vault.Credential.ServiceAccount' without proper validation. This allowed an attacker with permissions to modify the 'TriggerAuthentication' resource to specify any file path on the KEDA operator's pod, leading to the exfiltration of that file's content during the HashiCorp Vault authentication process.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68476: KEDA has Arbitrary File Read via Insufficient Path Validation in HashiCorp Vault Service Account Credential

Impact

Patches

Workarounds

Is my project affected?

CVE-2025-68476:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-68476: KEDA has Arbitrary File Read via Insufficient Path Validation in HashiCorp Vault Service Account Credential

Impact

Patches

Workarounds

Is my project affected?

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI