Low severity3.8NVD Advisory· Published Feb 25, 2026· Updated Apr 15, 2026
CVE-2025-67860
CVE-2025-67860
Description
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/neuvector/scannerGo | >= 4.0, < 4.072 | 4.072 |
Patches
1c2f0f9268468NVSHAS-10213: [Scanner] Handling of passwords as command arguments (20)
2 files changed · +13 −32
monitor/monitor.c+2 −22 modified@@ -32,12 +32,8 @@ #define ENV_SCANNER_REGISTRY "SCANNER_REGISTRY" #define ENV_SCANNER_REPOSITORY "SCANNER_REPOSITORY" #define ENV_SCANNER_TAG "SCANNER_TAG" -#define ENV_SCANNER_REG_USER "SCANNER_REGISTRY_USERNAME" -#define ENV_SCANNER_REG_PASS "SCANNER_REGISTRY_PASSWORD" #define ENV_SCANNER_SCAN_LAYERS "SCANNER_SCAN_LAYERS" #define ENV_SCANNER_BASE_IMAGE "SCANNER_BASE_IMAGE" -#define ENV_SCANNER_CTRL_USER "SCANNER_CTRL_API_USERNAME" -#define ENV_SCANNER_CTRL_PASS "SCANNER_CTRL_API_PASSWORD" #define ENV_SCANNER_TLS_VERIFICATION "SCANNER_STANDALONE_TLS_VERIFICATION" #define ENV_SCANNER_DEBUG_MODE "SCANNER_DEBUG_MODE" #define ENV_SCANNER_PROXY_URL "PROXY_URL" @@ -135,7 +131,7 @@ static pid_t fork_exec(int i) pid_t pid; char *args[PROC_ARGS_MAX], *join, *adv, *url; char *join_port, *adv_port; - char *license, *registry, *repository, *tag, *user, *pass, *base, *api_user, *api_pass, *enable, *proxy_url; + char *license, *registry, *repository, *tag, *base, *enable, *proxy_url; char *on_demand, *cache_record_max; int a; @@ -224,14 +220,6 @@ static pid_t fork_exec(int i) } // The following options apply to both standalone or non-standalone mode - if ((user = getenv(ENV_SCANNER_REG_USER)) != NULL) { - args[a ++] = "--registry_username"; - args[a ++] = user; - } - if ((pass = getenv(ENV_SCANNER_REG_PASS)) != NULL) { - args[a ++] = "--registry_password"; - args[a ++] = pass; - } if ((base = getenv(ENV_SCANNER_BASE_IMAGE)) != NULL) { args[a ++] = "--base_image"; args[a ++] = base; @@ -241,19 +229,11 @@ static pid_t fork_exec(int i) args[a ++] = "--scan_layers"; } } - if ((api_user = getenv(ENV_SCANNER_CTRL_USER)) != NULL) { - args[a ++] = "--ctrl_username"; - args[a ++] = api_user; - } - if ((api_pass = getenv(ENV_SCANNER_CTRL_PASS)) != NULL) { - args[a ++] = "--ctrl_password"; - args[a ++] = api_pass; - } if ((cache_record_max = getenv(ENV_SCANNER_CACHE_MAX)) != NULL) { args[a ++] = "-maxrec"; args[a ++] = cache_record_max; } - if ((api_pass = getenv(ENV_SCANNER_TLS_VERIFICATION)) != NULL) { + if ((enable = getenv(ENV_SCANNER_TLS_VERIFICATION)) != NULL) { args[a ++] = "--enable-tls-verification"; } if ((proxy_url = getenv(ENV_SCANNER_PROXY_URL)) != NULL) {
scanner.go+11 −10 modified@@ -205,12 +205,8 @@ func main() { registry := flag.String("registry", "", "Scan image registry") repository := flag.String("repository", "", "Scan image repository") tag := flag.String("tag", "latest", "Scan image tag (or digest like sha256:...)") - regUser := flag.String("registry_username", "", "Registry username") - regPass := flag.String("registry_password", "", "Registry password") scanLayers := flag.Bool("scan_layers", false, "Scan image layers") baseImage := flag.String("base_image", "", "Base image") - ctrlUser := flag.String("ctrl_username", "", "Controller REST API username") - ctrlPass := flag.String("ctrl_password", "", "Controller REST API password") noWait := flag.Bool("no_wait", false, "No initial wait") noTask := flag.Bool("no_task", false, "Not using scanner task") verbose := flag.Bool("x", false, "more debug") @@ -257,6 +253,11 @@ func main() { showTaskDebug = true } + regUser := os.Getenv("SCANNER_REGISTRY_USERNAME") + regPass := os.Getenv("SCANNER_REGISTRY_PASSWORD") + ctrlUser := os.Getenv("SCANNER_CTRL_API_USERNAME") + ctrlPass := os.Getenv("SCANNER_CTRL_API_PASSWORD") + var grpcServer *cluster.GRPCServer var ctx context.Context var internalCertControllerCancel context.CancelFunc @@ -404,8 +405,8 @@ func main() { Registry: reg, Repository: repo, Tag: tag, - Username: *regUser, - Password: *regPass, + Username: regUser, + Password: regPass, ScanLayers: *scanLayers, ScanSecrets: false, BaseImage: *baseImage, @@ -415,8 +416,8 @@ func main() { Registry: *registry, Repository: *repository, Tag: *tag, - Username: *regUser, - Password: *regPass, + Username: regUser, + Password: regPass, ScanLayers: *scanLayers, ScanSecrets: true, BaseImage: *baseImage, @@ -429,7 +430,7 @@ func main() { // submit scan result if join address is given if result != nil && result.Error == share.ScanErrorCode_ScanErrNone && - *join != "" && *ctrlUser != "" && *ctrlPass != "" { + *join != "" && ctrlUser != "" && ctrlPass != "" { if *adv == "" { _, addr, err := cluster.ResolveJoinAndBindAddr(*join, sys) if err != nil { @@ -444,7 +445,7 @@ func main() { joinPort = &port } - err := scanSubmitResult(*join, (uint16)(*joinPort), *adv, *ctrlUser, *ctrlPass, result) + err := scanSubmitResult(*join, (uint16)(*joinPort), *adv, ctrlUser, ctrlPass, result) if err != nil { log.WithFields(log.Fields{"error": err}).Error("Failed to sumit scan result") } else {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-3c9m-gq32-g4jxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67860ghsaADVISORY
- bugzilla.suse.com/show_bug.cginvdWEB
- github.com/neuvector/scanner/commit/c2f0f9268468e49eb3addea923156123c4465794ghsaWEB
- github.com/neuvector/scanner/releases/tag/v4.072ghsaWEB
- github.com/neuvector/scanner/security/advisories/GHSA-3c9m-gq32-g4jxghsaWEB
- github.com/harvester/harvester/security/advisories/GHSA-3c9m-gq32-g4jxnvd
News mentions
0No linked articles in our index yet.