CVE-2025-29781: Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD
(updated )
The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3.
Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource BMCEventSubscription (BMCES). An adversary Kubernetes account with only namespace level roles (e.g. a tenant controlling a namespace) may create a BMCES in their authorized namespace and then load Secrets from their unauthorized namespaces to their authorized namespace via the Baremetal Operator controller’s cluster scoped privileges, causing Secret leakage.
References
- github.com/advisories/GHSA-c98h-7hp9-v9hq
- github.com/metal3-io/baremetal-operator
- github.com/metal3-io/baremetal-operator/commit/19f8443b1fe182f76dd81b43122e8dd102f8b94c
- github.com/metal3-io/baremetal-operator/pull/2321
- github.com/metal3-io/baremetal-operator/pull/2322
- github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq
- github.com/metal3-io/metal3-docs/blob/main/design/baremetal-operator/bmc-events.md
- nvd.nist.gov/vuln/detail/CVE-2025-29781
Detect and mitigate CVE-2025-29781 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →