File Write Vulnerability in OpenStack Ironic by OpenStack
CVE-2025-44021

2.8LOW

Key Information:

Vendor: Openstack
Status: Ironic
Vendor: CVE Published:; 8 May 2025

What is CVE-2025-44021?

OpenStack Ironic, prior to version 29.0.1, contains a vulnerability that allows unintended file writing to target node disks during image handling. When deployments are executed via the API, a malicious actor can provide a file path, potentially leading to the corruption or unauthorized alteration of Node disk data. While exploitation requires certain conditions, such as insecure configurations or disabled automated cleaning, it poses a real threat in environments lacking default security measures. Updated versions (24.1.3, 26.1.1, and 29.0.1) effectively mitigate this risk.

Affected Version(s)

Ironic 24 < 24.1.3

Ironic 25 < 26.1.1

Ironic 27 < 29.0.1

References

https://bugs.launchpad.net/ironic/+bug/2107847

https://security.openstack.org/ossa/OSSA-2025-001.html

CVSS V3.1

Score:

2.8

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2025
Vulnerability Reserved
Apr 22, 2025

Openstack

What is CVE-2025-44021?

Affected Version(s)

References

CVSS V3.1

Timeline