VYPR
Low severity2.8GHSA Advisory· Published May 8, 2025· Updated Jun 17, 2026

CVE-2025-44021

CVE-2025-44021

Description

OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-conductor), which may then be written to the target node disk. This is difficult to exploit in practice, because a node deployed in this manner should never reach the ACTIVE state, but it still represents a danger in environments running with non-default, insecure configurations such as with automated cleaning disabled. The fixed versions are 24.1.3, 26.1.1, and 29.0.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ironicPyPI
< 24.1.324.1.3
ironicPyPI
>= 25.0.0, < 26.1.126.1.1
ironicPyPI
>= 27.0.0, < 29.0.129.0.1

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.