CVE-2025-7445: secrets-store-sync-controller discloses service account tokens in logs
Hello Kubernetes Community,
A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when there is a specific error marshaling the parameters sent to the providers.
References
- github.com/advisories/GHSA-rcw7-pqfp-735x
- github.com/kubernetes-sigs/secrets-store-sync-controller
- github.com/kubernetes-sigs/secrets-store-sync-controller/security/advisories/GHSA-rcw7-pqfp-735x
- github.com/kubernetes/kubernetes/issues/133897
- groups.google.com/g/kubernetes-security-announce/c/NP7cQvQ1aGA
- nvd.nist.gov/vuln/detail/CVE-2025-7445
Code Behaviors & Features
Detect and mitigate CVE-2025-7445 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →