Medium severity6.5GHSA Advisory· Published Oct 30, 2025· Updated Apr 15, 2026
CVE-2025-54471
CVE-2025-54471
Description
NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/neuvector/neuvectorGo | >= 5.3.0, < 5.4.7 | 5.4.7 |
github.com/neuvector/neuvectorGo | >= 0.0.0-20230727023453-1c4957d53911, < 0.0.0-20251020133207-084a437033b4 | 0.0.0-20251020133207-084a437033b4 |
Affected products
12- osv-coords11 versionspkg:apk/chainguard/neuvector-scannerpkg:apk/chainguard/neuvector-scanner-fipspkg:apk/chainguard/neuvector-scanner-monitorpkg:apk/chainguard/neuvector-scanner-monitor-fipspkg:apk/chainguard/neuvector-scanner-taskpkg:apk/chainguard/neuvector-scanner-task-fipspkg:apk/wolfi/neuvector-scannerpkg:apk/wolfi/neuvector-scanner-monitorpkg:apk/wolfi/neuvector-scanner-taskpkg:golang/github.com/neuvector/neuvectorpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 3.962-r0+ 10 more
- (no CPE)range: < 3.962-r0
- (no CPE)range: < 3.962-r0
- (no CPE)range: < 3.962-r0
- (no CPE)range: < 3.962-r0
- (no CPE)range: < 3.962-r0
- (no CPE)range: < 3.962-r0
- (no CPE)range: < 3.962-r0
- (no CPE)range: < 3.962-r0
- (no CPE)range: < 3.962-r0
- (no CPE)range: >= 5.3.0, < 5.4.7
- (no CPE)range: < 0.0.20251105T184115-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-h773-7gf7-9m2xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54471ghsaADVISORY
- bugzilla.suse.com/show_bug.cginvdWEB
- github.com/neuvector/neuvector/commit/084a437033b491eeea11bdba1a09dd84ed12ea88ghsaWEB
- github.com/neuvector/neuvector/security/advisories/GHSA-h773-7gf7-9m2xnvdWEB
News mentions
0No linked articles in our index yet.