CVE-2025-1767
Description
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A medium-severity vulnerability in Kubernetes allows users with create pod permission to use the deprecated in-tree gitRepo volume to access local git repositories of other pods on the same node.
Vulnerability
Description
A security vulnerability in Kubernetes, identified as CVE-2025-1767, affects clusters that rely on the deprecated in-tree gitRepo volume feature. This feature, which is used to clone git repositories into pods, does not properly isolate operations when cloning from repositories located on the local filesystem. An attacker with create pod permissions can exploit this by crafting a pod specification that uses a gitRepo volume pointing to a local path, thereby gaining access to git repositories belonging to other pods on the same node [1][2].
Exploitation
The attack requires a user to have permission to create pods in a Kubernetes cluster. The attacker can then specify a gitRepo volume with a repository field that references a local directory (e.g., starting with /) instead of a remote URL. When the kubelet processes the pod creation, it clones the repository from the specified local path, inadvertently exposing the contents of that repository to the attacker's pod. The vulnerability is present in all versions of Kubernetes that include the in-tree gitRepo volume implementation [2][4].
Impact
Successful exploitation allows an attacker to read and potentially modify the contents of git repositories owned by other pods on the same node. This can lead to the disclosure of sensitive information such as credentials, configuration files, or source code. The CVSS v3.1 score is 6.5 (Medium) with a vector of AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating high confidentiality and integrity impact but no availability impact [2].
Mitigation
Since the in-tree gitRepo volume has been deprecated and will not receive security updates, the primary mitigation is to stop using it. Users should migrate to using an init container to perform git clone operations and mount the directory into the pod. Additionally, administrators can enforce policies using ValidatingAdmissionPolicy or the Restricted pod security standard to reject any pods attempting to use gitRepo volumes. A detection method is also available to list pods that use the in-tree gitRepo volume to clone from local paths [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | <= 1.32.3 | — |
Affected products
1- Range: <= 1.32.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.