Medium severity5.8GHSA Advisory· Published Dec 14, 2025· Updated Apr 15, 2026
CVE-2025-13281
CVE-2025-13281
Description
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | < 1.32.10 | 1.32.10 |
k8s.io/kubernetesGo | >= 1.33.0-alpha.0, < 1.33.6 | 1.33.6 |
k8s.io/kubernetesGo | >= 1.34.0-alpha.0, < 1.34.2 | 1.34.2 |
Affected products
1- Range: >= 1.34.0-alpha.0, < 1.34.2
Patches
37506ce804c20Clean up event messages for errors in Portworx in-tree driver
1 file changed · +25 −8
pkg/volume/portworx/portworx.go+25 −8 modified@@ -307,8 +307,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr notMnt, err := b.mounter.IsLikelyNotMountPoint(dir) klog.Infof("Portworx Volume set up. Dir: %s %v %v", dir, !notMnt, err) if err != nil && !os.IsNotExist(err) { - klog.Errorf("Cannot validate mountpoint: %s", dir) - return err + // don't log error details from client calls in events + klog.V(4).Infof("Cannot validate mountpoint %s: %v", dir, err) + return fmt.Errorf("failed to validate mountpoint: see kube-controller-manager.log for details") } if !notMnt { return nil @@ -318,7 +319,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr attachOptions[attachContextKey] = dir attachOptions[attachHostKey] = b.plugin.host.GetHostName() if _, err := b.manager.AttachVolume(b, attachOptions); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to attach volume %s: %v", b.volumeID, err) + return fmt.Errorf("failed to attach volume: see kube-controller-manager.log for details") } klog.V(4).Infof("Portworx Volume %s attached", b.volumeID) @@ -328,7 +331,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr } if err := b.manager.MountVolume(b, dir); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to mount volume %s: %v", b.volumeID, err) + return fmt.Errorf("failed to mount volume: see kube-controller-manager.log for details") } if !b.readOnly { volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil)) @@ -359,12 +364,16 @@ func (c *portworxVolumeUnmounter) TearDownAt(dir string) error { klog.Infof("Portworx Volume TearDown of %s", dir) if err := c.manager.UnmountVolume(c, dir); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to unmount volume %s: %v", c.volumeID, err) + return fmt.Errorf("failed to unmount volume: see kube-controller-manager.log for details") } // Call Portworx Detach Volume. if err := c.manager.DetachVolume(c); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to detach volume %s: %v", c.volumeID, err) + return fmt.Errorf("failed to detach volume: see kube-controller-manager.log for details") } return nil @@ -381,7 +390,13 @@ func (d *portworxVolumeDeleter) GetPath() string { } func (d *portworxVolumeDeleter) Delete() error { - return d.manager.DeleteVolume(d) + err := d.manager.DeleteVolume(d) + if err != nil { + // don't log error details from client calls in events + klog.V(4).Infof("Failed to delete volume %s: %v", d.volumeID, err) + return fmt.Errorf("failed to delete volume: see kube-controller-manager.log for details") + } + return nil } type portworxVolumeProvisioner struct { @@ -402,7 +417,9 @@ func (c *portworxVolumeProvisioner) Provision(selectedNode *v1.Node, allowedTopo volumeID, sizeGiB, labels, err := c.manager.CreateVolume(c) if err != nil { - return nil, err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to create volume: %v", err) + return nil, fmt.Errorf("failed to create volume: see kube-controller-manager.log for details") } pv := &v1.PersistentVolume{
97650c1c4fe1Clean up event messages for errors in Portworx in-tree driver
1 file changed · +25 −8
pkg/volume/portworx/portworx.go+25 −8 modified@@ -308,8 +308,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr notMnt, err := b.mounter.IsLikelyNotMountPoint(dir) klog.Infof("Portworx Volume set up. Dir: %s %v %v", dir, !notMnt, err) if err != nil && !os.IsNotExist(err) { - klog.Errorf("Cannot validate mountpoint: %s", dir) - return err + // don't log error details from client calls in events + klog.V(4).Infof("Cannot validate mountpoint %s: %v", dir, err) + return fmt.Errorf("failed to validate mountpoint: see kube-controller-manager.log for details") } if !notMnt { return nil @@ -319,7 +320,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr attachOptions[attachContextKey] = dir attachOptions[attachHostKey] = b.plugin.host.GetHostName() if _, err := b.manager.AttachVolume(b, attachOptions); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to attach volume %s: %v", b.volumeID, err) + return fmt.Errorf("failed to attach volume: see kube-controller-manager.log for details") } klog.V(4).Infof("Portworx Volume %s attached", b.volumeID) @@ -329,7 +332,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr } if err := b.manager.MountVolume(b, dir); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to mount volume %s: %v", b.volumeID, err) + return fmt.Errorf("failed to mount volume: see kube-controller-manager.log for details") } if !b.readOnly { // Since portworxVolume is in process of being removed from in-tree, we avoid larger refactor to add progress tracking for ownership operation @@ -362,12 +367,16 @@ func (c *portworxVolumeUnmounter) TearDownAt(dir string) error { klog.Infof("Portworx Volume TearDown of %s", dir) if err := c.manager.UnmountVolume(c, dir); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to unmount volume %s: %v", c.volumeID, err) + return fmt.Errorf("failed to unmount volume: see kube-controller-manager.log for details") } // Call Portworx Detach Volume. if err := c.manager.DetachVolume(c); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to detach volume %s: %v", c.volumeID, err) + return fmt.Errorf("failed to detach volume: see kube-controller-manager.log for details") } return nil @@ -384,7 +393,13 @@ func (d *portworxVolumeDeleter) GetPath() string { } func (d *portworxVolumeDeleter) Delete() error { - return d.manager.DeleteVolume(d) + err := d.manager.DeleteVolume(d) + if err != nil { + // don't log error details from client calls in events + klog.V(4).Infof("Failed to delete volume %s: %v", d.volumeID, err) + return fmt.Errorf("failed to delete volume: see kube-controller-manager.log for details") + } + return nil } type portworxVolumeProvisioner struct { @@ -405,7 +420,9 @@ func (c *portworxVolumeProvisioner) Provision(selectedNode *v1.Node, allowedTopo volumeID, sizeGiB, labels, err := c.manager.CreateVolume(c) if err != nil { - return nil, err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to create volume: %v", err) + return nil, fmt.Errorf("failed to create volume: see kube-controller-manager.log for details") } pv := &v1.PersistentVolume{
dbe17dfe7773Clean up event messages for errors in Portworx in-tree driver
1 file changed · +25 −8
pkg/volume/portworx/portworx.go+25 −8 modified@@ -307,8 +307,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr notMnt, err := b.mounter.IsLikelyNotMountPoint(dir) klog.Infof("Portworx Volume set up. Dir: %s %v %v", dir, !notMnt, err) if err != nil && !os.IsNotExist(err) { - klog.Errorf("Cannot validate mountpoint: %s", dir) - return err + // don't log error details from client calls in events + klog.V(4).Infof("Cannot validate mountpoint %s: %v", dir, err) + return fmt.Errorf("failed to validate mountpoint: see kube-controller-manager.log for details") } if !notMnt { return nil @@ -318,7 +319,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr attachOptions[attachContextKey] = dir attachOptions[attachHostKey] = b.plugin.host.GetHostName() if _, err := b.manager.AttachVolume(b, attachOptions); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to attach volume %s: %v", b.volumeID, err) + return fmt.Errorf("failed to attach volume: see kube-controller-manager.log for details") } klog.V(4).Infof("Portworx Volume %s attached", b.volumeID) @@ -328,7 +331,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr } if err := b.manager.MountVolume(b, dir); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to mount volume %s: %v", b.volumeID, err) + return fmt.Errorf("failed to mount volume: see kube-controller-manager.log for details") } if !b.readOnly { // Since portworxVolume is in process of being removed from in-tree, we avoid larger refactor to add progress tracking for ownership operation @@ -361,12 +366,16 @@ func (c *portworxVolumeUnmounter) TearDownAt(dir string) error { klog.Infof("Portworx Volume TearDown of %s", dir) if err := c.manager.UnmountVolume(c, dir); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to unmount volume %s: %v", c.volumeID, err) + return fmt.Errorf("failed to unmount volume: see kube-controller-manager.log for details") } // Call Portworx Detach Volume. if err := c.manager.DetachVolume(c); err != nil { - return err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to detach volume %s: %v", c.volumeID, err) + return fmt.Errorf("failed to detach volume: see kube-controller-manager.log for details") } return nil @@ -383,7 +392,13 @@ func (d *portworxVolumeDeleter) GetPath() string { } func (d *portworxVolumeDeleter) Delete() error { - return d.manager.DeleteVolume(d) + err := d.manager.DeleteVolume(d) + if err != nil { + // don't log error details from client calls in events + klog.V(4).Infof("Failed to delete volume %s: %v", d.volumeID, err) + return fmt.Errorf("failed to delete volume: see kube-controller-manager.log for details") + } + return nil } type portworxVolumeProvisioner struct { @@ -404,7 +419,9 @@ func (c *portworxVolumeProvisioner) Provision(selectedNode *v1.Node, allowedTopo volumeID, sizeGiB, labels, err := c.manager.CreateVolume(c) if err != nil { - return nil, err + // don't log error details from client calls in events + klog.V(4).Infof("Failed to create volume: %v", err) + return nil, fmt.Errorf("failed to create volume: see kube-controller-manager.log for details") } pv := &v1.PersistentVolume{
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-r6j8-c6r2-37rrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13281ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/12/01/4nvdWEB
- github.com/kubernetes/kubernetes/commit/7506ce804c20696ba32cdb72126270ceaed06e24ghsaWEB
- github.com/kubernetes/kubernetes/commit/97650c1c4fe15cbb7756ba95b3edc8a8665063caghsaWEB
- github.com/kubernetes/kubernetes/commit/dbe17dfe7773563eac95534040f413ada6d2b421ghsaWEB
- github.com/kubernetes/kubernetes/issues/135525nvdWEB
- groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJnvdWEB
News mentions
0No linked articles in our index yet.