CVE-2025-62878 PUBLISHED

Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern

Assigner: suse
Reserved: 24.10.2025 Published: 25.02.2026 Updated: 25.02.2026

A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SUSE
Product	Rancher
Versions	Default: unaffected affected from 0 to 0.0.34 (excl.)

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62878
https://github.com/advisories/GHSA-jr3w-9vfr-c746

Problem Types

CWE-23: Relative Path Traversal CWE