CVE-2025-55196 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A vulnerability was discovered in the External Secrets Operator where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector.
This flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions.
An attacker with the ability to create or update PushSecret resources and control SecretStore configurations could exploit this vulnerability to exfiltrate sensitive data from arbitrary namespaces.
This could lead to full disclosure of Kubernetes secrets, including credentials, tokens, and other sensitive information stored in the cluster.
To exploit this vulnerability, an attacker must:
PushSecret resources.SecretStore resources.With these conditions met, the attacker could leverage label selectors to list secrets from any namespace and retrieve their contents.
The vulnerability was addressed in v0.19.2 by adding namespace restrictions to the List() calls for both PushSecret and SecretStore controllers.
This ensures that only secrets in the intended namespace are accessible.
Relevant fixes:
List() callsList() callsIf upgrading to v0.19.2 or later is not immediately possible, the following mitigations are recommended:
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
PushSecret and SecretStore resources.PushSecret and SecretStore resources to ensure they are controlled by trusted parties.This vulnerability was reported by @gracedo and @moolen