Critical severity9.9NVD Advisory· Published Feb 25, 2026· Updated Apr 15, 2026

CVE-2025-62878

Description

A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/rancher/local-path-provisionerGo	< 0.0.34	0.0.34

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-jr3w-9vfr-c746nvdADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-62878ghsaADVISORY
bugzilla.suse.com/show_bug.cginvdWEB
github.com/rancher/local-path-provisioner/blob/d4f71b4b03a321e9f54be00808e9de42b8bfd35a/provisioner.goghsaWEB
github.com/rancher/local-path-provisioner/security/advisories/GHSA-jr3w-9vfr-c746ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.643
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000