GHSA-f5p4-p5q5-jv3h: Contrast has insecure LUKS2 persistent storage partitions may be opened and used

October 28, 2025

A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the secure persistent volume feature. The guest will open the volume and write secret data using a volume key known to the attacker.

LUKS2 volume metadata is (a) not authenticated and (b) supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:

Opens (cryptsetup open) without error using any passphrase or token
Records all writes in plaintext (or ciphertext with an attacker-known key)

References

github.com/advisories/GHSA-f5p4-p5q5-jv3h
github.com/edgelesssys/contrast
github.com/edgelesssys/contrast/commit/2252a231d570c2dce10a33660452b0bfc3c43958
github.com/edgelesssys/contrast/pull/1731
github.com/edgelesssys/contrast/security/advisories/GHSA-f5p4-p5q5-jv3h

Code Behaviors & Features

Detect and mitigate GHSA-f5p4-p5q5-jv3h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →