CVE-2025-62714: Karmada Dashboard API Unauthorized Access Vulnerability
This is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/service) did not enforce authentication, allowing unauthenticated users to access sensitive cluster information such as Secrets and Services directly. Although the web UI required a valid JWT for access, the API itself remained exposed to direct requests without any authentication checks. Any user or entity with network access to the Karmada Dashboard service could exploit this vulnerability to retrieve sensitive data.
References
- github.com/advisories/GHSA-5qjg-9mjh-4r92
- github.com/karmada-io/dashboard
- github.com/karmada-io/dashboard/pull/271
- github.com/karmada-io/dashboard/pull/280
- github.com/karmada-io/dashboard/releases/tag/v0.2.0
- github.com/karmada-io/dashboard/security/advisories/GHSA-5qjg-9mjh-4r92
- nvd.nist.gov/vuln/detail/CVE-2025-62714
Code Behaviors & Features
Detect and mitigate CVE-2025-62714 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →