Command Injection Vulnerability in Kubernetes Headlamp by Cloud Native Computing Foundation
CVE-2025-53542

7.8HIGH

Key Information:

Vendor

Kubernetes-sigs

Status
Headlamp
Vendor
CVE Published:
10 July 2025

What is CVE-2025-53542?

A command injection vulnerability has been identified in Kubernetes Headlamp's macOS packaging workflow, specifically in the codeSign.js script. This flaw arises from improper handling of environment variables—${teamID}, ${entitlementsPath}, and ${config.app}—which are inadequately sanitized prior to being passed into shell commands. As a result, an attacker could exploit this vulnerability by injecting malicious input through these variables, leading to the execution of unintended commands on the system. The issue has been resolved in version 0.31.1.

Affected Version(s)

headlamp < 0.31.1

References

https://github.com/kubernetes-sigs/headlamp/security/advi...
x_refsource_CONFIRM
https://github.com/kubernetes-sigs/headlamp/pull/3377
x_refsource_MISC
https://github.com/kubernetes-sigs/headlamp/commit/5bc0a9...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.