CVE-2025-23390: Fleet doesn’t validate a server’s certificate when connecting through SSH
(updated )
A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the known_hosts file. This could allow the execution of a man-in-the-middle (MitM) attack against Fleet. In case the server that is being connected to has a trusted entry in the known_hosts file, then Fleet will correctly check the authenticity of the presented certificate.
Please consult the associated MITRE ATT&CK - Technique - Adversary-in-the-Middle for further information about this category of attack.
References
- github.com/advisories/GHSA-xgpc-q899-67p8
- github.com/rancher/fleet
- github.com/rancher/fleet/pull/3571
- github.com/rancher/fleet/pull/3572
- github.com/rancher/fleet/pull/3573
- github.com/rancher/fleet/releases/tag/v0.10.12
- github.com/rancher/fleet/releases/tag/v0.11.7
- github.com/rancher/fleet/releases/tag/v0.12.2
- github.com/rancher/fleet/security/advisories/GHSA-xgpc-q899-67p8
- nvd.nist.gov/vuln/detail/CVE-2025-23390
- pkg.go.dev/vuln/GO-2025-3649
Code Behaviors & Features
Detect and mitigate CVE-2025-23390 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →