CVE-2025-54471: NeuVector is shipping cryptographic material into its binary
(updated )
NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.
In the patched version, NeuVector leverages the Kubernetes secret neuvector-store-secret in neuvector namespace to dynamically generate cryptographically secure random keys. This approach removes the reliance on static key values and ensures that encryption keys are managed securely within Kubernetes.
During rolling upgrade or restoring from persistent storage, the NeuVector controller checks each encrypted configured field. If a sensitive field in the configuration is found to be encrypted by the default encryption key, it’s decrypted with the default encryption key and then re-encrypted with the new dynamic encryption key.
If the NeuVector controller does not have the correct RBAC for accessing the new secret, it writes this error log :
Required Kubernetes RBAC for secrets are not found and exits.
The device encryption key is rotated every 3 months. For details, please refer to this Rotating Self-Signed Certificate documentation.
References
- bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54471
- github.com/advisories/GHSA-h773-7gf7-9m2x
- github.com/neuvector/neuvector
- github.com/neuvector/neuvector/commit/084a437033b491eeea11bdba1a09dd84ed12ea88
- github.com/neuvector/neuvector/security/advisories/GHSA-h773-7gf7-9m2x
- nvd.nist.gov/vuln/detail/CVE-2025-54471
Code Behaviors & Features
Detect and mitigate CVE-2025-54471 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →