7.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-vxg3-w9rv-rhr2

EPSS Score

CWE

CWE-532

Published

8/28/2025

Updated

8/28/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-vxg3-w9rv-rhr2

GHSA-vxg3-w9rv-rhr2: Contrast leaks workload secrets to logs on INFO level

This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release v1.8.1, but the fix was not ported to the main branch and thus not present in releases v1.9.0 ff.

Below is a brief repetition of the relevant sections from the first GHSA, where you can find the full details.

Impact

Workload secrets are visible to Kubernetes users with get or list permission on pods/logs, and thus need to be considered compromised.
Since workload secrets are used for encrypted storage and Vault integration, those need to be considered compromised, too.

Patches

Patches:

https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225
https://github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554

The patches are released with v1.12.2 and v1.13.0 (not yet published). Since the secrets are compromised, Contrast needs to be initialized from scratch.

Workarounds

Existing workload secrets are compromised. The Contrast cluster needs to be newly initialized, and logging needs to be turned off.

References

First occurrence:

https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8

We are defining a process for handling GHSAs that should prevent such regressions in the future:

https://github.com/edgelesssys/contrast/pull/1739

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-vxg3-w9rv-rhr2

EPSS Score

CWE

CWE-532

Published

8/28/2025

Updated

8/28/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/edgelesssys/contrast	go	>= 1.9.0, <= 1.12.1	1.12.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic case of CWE-532, Insertion of Sensitive Information into Log File. The analysis of the provided patches confirms that the run function in initializer/main.go was logging a variable resp that contained sensitive workload secrets. The patch removes this logging statement and replaces it with a generic message, thus mitigating the vulnerability. The function main.run is the direct source of the information leak and would appear in a runtime profile when the vulnerable code is executed. The vulnerability was a regression, meaning a previous fix was not correctly ported, and the provided commits re-apply the necessary changes to prevent the secret leakage.

Vulnerable functions

main.run

initializer/main.go

The function `run` in `initializer/main.go` was logging the response of a certificate request, which contained sensitive information (workload secrets). This information was logged at the INFO level, making it accessible to anyone with permission to view pod logs.

WAF Protection Rules

WAF Rule

T*is is t** s*m* vuln*r**ility *s *ttps://*it*u*.*om/****l*sssys/*ontr*st/s**urity/**visori*s/**S*-****-*rrq-*pw*. T** ori*in*l vuln*r**ility *** ***n *ix** *or r*l**s* `v*.*.*`, *ut t** *ix w*s not port** to t** m*in *r*n** *n* t*us not pr*s*nt in r

Reasoning

T** vuln*r**ility is * *l*ssi* **s* o* *W*-***, Ins*rtion o* S*nsitiv* In*orm*tion into Lo* *il*. T** *n*lysis o* t** provi*** p*t***s *on*irms t**t t** `run` *un*tion in `initi*liz*r/m*in.*o` w*s lo**in* * v*ri**l* `r*sp` t**t *ont*in** s*nsitiv* wo

7.3

Basic Information

Concerned about an active attack path?

GHSA-vxg3-w9rv-rhr2: Contrast leaks workload secrets to logs on INFO level

Impact

Patches

Workarounds

References

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI