Medium severity5.5OSV Advisory· Published Aug 28, 2025· Updated Apr 15, 2026

CVE-2025-58061

Description

OpenEBS Local PV RawFile allows dynamic deployment of Stateful Persistent Node-Local Volumes & Filesystems for Kubernetes. Prior to version 0.10.0, persistent volume data is world readable and that would allow non-privileged users to access sensitive data such as databases of k8s workload. The rawfile-localpv storage class creates persistent volume data under /var/csi/rawfile/ on Kubernetes hosts by default. However, the directory and data in it are world-readable. It allows non-privileged users to access the whole persistent volume data, and those can include sensitive information such as a whole database if the Kubernetes tenants are running MySQL or PostgreSQL in a container so it could lead to a database breach. This issue has been patched in version 0.10.0.

Affected products

Openebs/Rawfile LocalpvOSV
Range: 0.3.0, 0.4.0, 0.4.1, …

Patches

cfa49b9189f5

fix: set tag with app version (#127)

https://github.com/openebs/rawfile-localpvTiago CastroJun 17, 2025via osv

commit

1 file changed · +1 −1

deploy/helm/rawfile-localpv/templates/_helpers.tpl+1 −1 modified

@@ -66,7 +66,7 @@ Create the name of the service account to use
 Some helpers to handle image global information
 */}}
 {{- define "rawfile-localpv.controller-image-tag" -}}
-{{- $imageTag := .Values.controller.image.tag | default .Values.image.tag | default .Chart.AppVersion }}
+{{- $imageTag := .Values.controller.image.tag | default .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}
 {{- printf "%s" $imageTag }}
 {{- end }}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/openebs/rawfile-localpv/security/advisories/GHSA-wh95-vw4r-xwx4nvd

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000