CVE-2025-67860: NeuVector scanner insecurely handles passwords as command arguments
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. This may allow unauthorized access to registries or the NeuVector controller, potentially enabling image manipulation, information disclosure, or further lateral movement within the environment.
Important:
- For the exposure of credentials not related to Rancher NeuVector, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services.
- It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.
Please consult the associated MITRE ATT&CK – Technique – Credential Access and Unsecured Credentials for further information about this category of attack.
References
- github.com/advisories/GHSA-3c9m-gq32-g4jx
- github.com/neuvector/scanner
- github.com/neuvector/scanner/commit/c2f0f9268468e49eb3addea923156123c4465794
- github.com/neuvector/scanner/releases/tag/v4.072
- github.com/neuvector/scanner/security/advisories/GHSA-3c9m-gq32-g4jx
- nvd.nist.gov/vuln/detail/CVE-2025-67860
Code Behaviors & Features
Detect and mitigate CVE-2025-67860 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →