CVE-2025-1767
published 2025-03-13CVE-2025-1767: This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the…
PriorityP434medium6.5CVSS 3.1
AVNACLPRHUINSUCHIHAN
EPSS
0.52%
40.0th percentile
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | 0 – 1.32.3 | — |
| kubernetes | kubelet | — | — |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| msrc | azl3_kubernetes_1.30.10-7_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-18_on_cbl_mariner_2.0 | — | — |
| open-webui | open-webui | >= 0 < 0.6.37 | 0.6.37 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web
ghsa·2025-12-04
CVE-2025-65958 [HIGH] CWE-918 Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web
### Summary
A Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required.
### Details
The vulnerability exists in the /api/v1/retrieval/process/web endpoint located in backend/open_webui/routers/retrieval.py at lines 1758-1767.
Vulnerable code:
@router.post("/process/web")
def process_web(
request: Request, form_data: ProcessUrlForm,
OSV
Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes
osv·2025-03-25
CVE-2025-1767 Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes
Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes
Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes
OSV
CVE-2025-1767: This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node
osv·2025-03-13·CVSS 6.5
CVE-2025-1767 [MEDIUM] CVE-2025-1767: This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.
GHSA
Kubernetes GitRepo Volume Inadvertent Local Repository Access
ghsa·2025-03-13
CVE-2025-1767 [MEDIUM] CWE-20 Kubernetes GitRepo Volume Inadvertent Local Repository Access
Kubernetes GitRepo Volume Inadvertent Local Repository Access
A security vulnerability was discovered in Kubernetes that could allow a user with create pod permission to exploit gitRepo volumes to access local git repositories belonging to other pods on the same node. This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.
OSV
Kubernetes GitRepo Volume Inadvertent Local Repository Access
osv·2025-03-13
CVE-2025-1767 [MEDIUM] Kubernetes GitRepo Volume Inadvertent Local Repository Access
Kubernetes GitRepo Volume Inadvertent Local Repository Access
A security vulnerability was discovered in Kubernetes that could allow a user with create pod permission to exploit gitRepo volumes to access local git repositories belonging to other pods on the same node. This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.
Red Hat
kubelet: GitRepo Volume Inadvertent Local Repository Access
vendor_redhat·2025-03-13·CVSS 6.5
CVE-2025-1767 [MEDIUM] CWE-280 kubelet: GitRepo Volume Inadvertent Local Repository Access
kubelet: GitRepo Volume Inadvertent Local Repository Access
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.
A flaw was found in Kubernetes. This vulnerability allows a user with create pod permissions to exploit gitRepo volumes to access local git repositories belonging to other pods on the same node.
Statement: This vulnerability is rated as moderate severity because it affects Kubernetes clusters using the deprecated in-tree gitRepo volume feature, which allows cloning git repositories from other pods within the same node.
M
Microsoft
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been depr
vendor_msrc·2025-03-11·CVSS 6.5
CVE-2025-1767 [MEDIUM] CWE-20 This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been depr
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 20
Debian
CVE-2025-1767: kubernetes - This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volum...
vendor_debian·2025·CVSS 6.5
CVE-2025-1767 [MEDIUM] CVE-2025-1767: kubernetes - This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volum...
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
No detection rules found.
No public exploits indexed.
2025-03-13
Published