Kubernetes Secrets Store Sync Controller Vulnerability Affecting Service Account Tokens
CVE-2025-7445

6.5MEDIUM

Key Information:

Vendor

Kubernetes
Status
Secrets-store-sync-controller
Vendor
CVE Published:
5 September 2025

What is CVE-2025-7445?

CVE-2025-7445 is a vulnerability within the Kubernetes Secrets Store Sync Controller, specifically affecting versions prior to 0.0.2. The purpose of this controller is to facilitate the management of secrets in Kubernetes environments by synchronizing secrets from external providers without compromising security. However, this vulnerability poses a significant risk as it inadvertently discloses service account tokens through logs. These tokens are crucial for authenticating and authorizing access to Kubernetes resources, and their exposure can lead to unauthorized access.

If exploited, this vulnerability could allow malicious actors to obtain sensitive information, which could be leveraged to perform further attacks or gain control over Kubernetes clusters. The primary concern revolves around the disclosure of service account tokens, which, if intercepted, could lead to privilege escalation and the potential compromise of sensitive workloads and data stored within the Kubernetes environment.

Potential impact of CVE-2025-7445

  1. Unauthorized Access to Sensitive Resources: The exposure of service account tokens can grant attackers unauthorized access to critical resources within the Kubernetes environment, allowing them to execute commands, modify configurations, or access sensitive data.

  2. Privilege Escalation Risks: If an attacker obtains a service account token associated with elevated permissions, they can escalate their privileges to a level that enables further exploitation within the cluster, potentially leading to significant disruptions or data breaches.

  3. Increased Attack Surface for Environmental Compromise: The inadvertent logging of sensitive tokens expands the attack surface, making it easier for threat actors to identify and exploit vulnerabilities within the infrastructure, increasing the likelihood of further malicious activities such as data exfiltration or deploying ransomware.

Affected Version(s)

secrets-store-sync-controller 0 < 0.0.2

secrets-store-sync-controller 0.0.2

References

https://github.com/kubernetes/kubernetes/issues/133897
issue-tracking
https://groups.google.com/g/kubernetes-security-announce/...
mailing-list

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Reem Rotenberg
Kas Dekel
JSON
.