High severityOSV Advisory· Published Dec 22, 2025· Updated Apr 15, 2026

CVE-2025-68476

Description

KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authentication. The vulnerability stems from an incorrect or insufficient path validation when loading the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount. An attacker with permissions to create or modify a TriggerAuthentication resource can exfiltrate the content of any file from the node's filesystem (where the KEDA pod resides) by directing the file's content to a server under their control, as part of the Vault authentication request. The potential impact includes the exfiltration of sensitive system information, such as secrets, keys, or the content of files like /etc/passwd. This issue has been patched in versions 2.17.3 and 2.18.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/kedacore/keda/v2Go	>= 2.18.0, < 2.18.3	2.18.3
github.com/kedacore/keda/v2Go	< 2.17.3	2.17.3

Affected products

Kedacore/KedaOSV
Range: v1.0.0, v1.1.0, v1.2.0, …

Patches

15c5677f65f8

Merge commit from fork

https://github.com/kedacore/kedaJorge Turrado FerreroDec 22, 2025via ghsa

commit

3 files changed · +221 −3

pkg/scaling/resolver/hashicorpvault_handler.go+6 −3 modified

@@ -20,7 +20,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/go-logr/logr"
@@ -30,6 +29,10 @@ import (
 	"github.com/kedacore/keda/v2/pkg/scalers/authentication"
 )
 
+const (
+	serviceAccountTokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+)
+
 // HashicorpVaultHandler is a specification of HashiCorp Vault
 type HashicorpVaultHandler struct {
 	vault     *kedav1alpha1.HashiCorpVault
@@ -118,7 +121,7 @@ func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error)
 
 		if vh.vault.Credential == nil {
 			defaultCred := kedav1alpha1.Credential{
-				ServiceAccount: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+				ServiceAccount: serviceAccountTokenFile,
 			}
 			vh.vault.Credential = &defaultCred
 		}
@@ -131,7 +134,7 @@ func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error)
 			jwt = []byte(GenerateBoundServiceAccountToken(context.Background(), vh.vault.Credential.ServiceAccountName, vh.namespace, vh.acs))
 		} else if len(vh.vault.Credential.ServiceAccount) != 0 {
 			// Get the JWT from POD
-			jwt, err = os.ReadFile(vh.vault.Credential.ServiceAccount)
+			jwt, err = readKubernetesServiceAccountProjectedToken(vh.vault.Credential.ServiceAccount)
 			if err != nil {
 				return token, err
 			}

pkg/scaling/resolver/k8s_validator.go+39 −0 added

@@ -0,0 +1,39 @@
+package resolver
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+var parser = jwt.NewParser()
+
+func readKubernetesServiceAccountProjectedToken(path string) ([]byte, error) {
+	jwt, err := os.ReadFile(path)
+	if err != nil {
+		return []byte{}, err
+	}
+	if err = validateK8sSAToken(jwt); err != nil {
+		return []byte{}, err
+	}
+	return jwt, nil
+}
+
+func validateK8sSAToken(saToken []byte) error {
+	claims := jwt.MapClaims{}
+	_, _, err := parser.ParseUnverified(string(saToken), &claims)
+	if err != nil {
+		return fmt.Errorf("error validating token: %w", err)
+	}
+	sub, err := claims.GetSubject()
+	if err != nil {
+		return fmt.Errorf("error getting token sub: %w", err)
+	}
+	if !strings.HasPrefix(sub, "system:serviceaccount:") {
+		return fmt.Errorf("error validating token: subject isn't a service account")
+	}
+
+	return nil
+}

pkg/scaling/resolver/k8s_validator_test.go+176 −0 added

@@ -0,0 +1,176 @@
+/*
+Copyright 2025 The KEDA Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func TestReadKubernetesServiceAccountProjectedToken(t *testing.T) {
+	tests := []struct {
+		name        string
+		setupToken  func() string
+		expectError bool
+		validate    func([]byte) bool
+	}{
+		{
+			name: "valid token",
+			setupToken: func() string {
+				privateKey, _, err := generateTestRSAKeyPair()
+				if err != nil {
+					t.Fatalf("failed to generate RSA keys: %v", err)
+				}
+
+				// Create valid JWT token
+				claims := jwt.MapClaims{
+					"iss": "kubernetes/serviceaccount",
+					"sub": "system:serviceaccount:default:default",
+					"exp": time.Now().Add(time.Hour).Unix(),
+					"iat": time.Now().Unix(),
+				}
+				tokenBytes, err := createJWTToken(privateKey, claims)
+				if err != nil {
+					t.Fatalf("failed to create JWT token: %v", err)
+				}
+				tokenPath := createTempFile(t, tokenBytes)
+
+				return tokenPath
+			},
+			expectError: false,
+			validate: func(token []byte) bool {
+				return len(token) > 0
+			},
+		},
+		{
+			name: "token file does not exist",
+			setupToken: func() string {
+				return "/nonexistent/token/path"
+			},
+			expectError: true,
+		},
+		{
+			name: "arbitrary file content is not a valid token",
+			setupToken: func() string {
+				// Create an arbitrary file with random content that is not a JWT
+				arbitraryContent := []byte("This is just arbitrary file content, not a JWT token at all")
+				tokenPath := createTempFile(t, arbitraryContent)
+
+				return tokenPath
+			},
+			expectError: true,
+		},
+		{
+			name: "not sa token",
+			setupToken: func() string {
+				privateKey, _, err := generateTestRSAKeyPair()
+				if err != nil {
+					t.Fatalf("failed to generate RSA keys: %v", err)
+				}
+
+				// Create valid JWT token but not from k8s
+				claims := jwt.MapClaims{
+					"iss": "random-issuer",
+					"sub": "1234-3212",
+					"exp": time.Now().Add(time.Hour).Unix(),
+					"iat": time.Now().Unix(),
+				}
+				tokenBytes, err := createJWTToken(privateKey, claims)
+				tokenPath := createTempFile(t, tokenBytes)
+
+				return tokenPath
+			},
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tokenPath := tt.setupToken()
+			defer os.Remove(tokenPath)
+
+			result, err := readKubernetesServiceAccountProjectedToken(tokenPath)
+
+			if (err != nil) != tt.expectError {
+				t.Errorf("readKubernetesServiceAccountProjectedToken() error = %v, expectError = %v", err, tt.expectError)
+				return
+			}
+
+			if !tt.expectError && tt.validate != nil {
+				if !tt.validate(result) {
+					t.Errorf("readKubernetesServiceAccountProjectedToken() returned invalid result")
+				}
+			}
+		})
+	}
+}
+
+// Helper function to generate RSA key pair for testing
+func generateTestRSAKeyPair() (*rsa.PrivateKey, *rsa.PublicKey, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+	return privateKey, &privateKey.PublicKey, nil
+}
+
+// Helper function to create a valid JWT token for testing
+func createJWTToken(privateKey *rsa.PrivateKey, claims jwt.MapClaims) ([]byte, error) {
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	tokenString, err := token.SignedString(privateKey)
+	if err != nil {
+		return nil, err
+	}
+	return []byte(tokenString), nil
+}
+
+// Helper function to write RSA public key to PEM format
+func writePublicKeyPEM(publicKey *rsa.PublicKey) ([]byte, error) {
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(publicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	publicKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: publicKeyBytes,
+	})
+
+	return publicKeyPEM, nil
+}
+
+// Helper function to create temporary files for testing
+func createTempFile(t *testing.T, content []byte) string {
+	tmpFile, err := os.CreateTemp("", "k8s_test_*")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer tmpFile.Close()
+
+	if _, err := tmpFile.Write(content); err != nil {
+		t.Fatalf("failed to write to temp file: %v", err)
+	}
+
+	return tmpFile.Name()
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c4p6-qg4m-9jmrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-68476ghsaADVISORY
github.com/kedacore/keda/commit/15c5677f65f809b9b6b59a52f4cf793db0a510fdnvdWEB
github.com/kedacore/keda/security/advisories/GHSA-c4p6-qg4m-9jmrnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000