CVE-2025-54467: NeuVector process with sensitive arguments lead to leakage

August 28, 2025 (updated September 17, 2025)

When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation. For example,

java -cp /app ... Djavax.net.ssl.trustStorePassword=<Password>

The command with the password appears in the NeuVector security event. To prevent this, NeuVector uses the following default regular expression to detect and redact sensitive data from process commands:

(?i)(password|passwd|token)

Also, you can define custom patterns to redact by creating a Kubernetes ConfigMap. For example:

kubectl create configmap neuvector-custom-rules --from-file=secret-patterns.yaml -n neuvector

Sample secret-patterns.yaml content:

Pattern_list:
- (?i)(pawd|pword)
- (?i)(secret)

NeuVector uses the default and custom regex to decide whether the process command in a security event should be redacted.

Note: If numerous regular expression (regex) patterns are configured in the Kubernetes ConfigMap for extended coverage of sensitive data matching, it can significantly impact performance of NeuVector enforcer, particularly in scenarios involving large inputs or frequent execution. The primary factor contributing to performance issues in regex is backtracking, where the regex engine attempts various matching paths when a pattern doesn’t immediately find a match.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-54467 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →