CVE-2025-44021 — Path Traversal in Ironic

CWE-22 — Path Traversal CWE-427 — Uncontrolled Search Path Element7 documents6 sources

Severity

2.8LOWNVD

EPSS

0.1%

top 80.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Ironic

Timeline

PublishedMay 8

Description

OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-conductor), which may then be written to the target node disk. This is difficult to exploit in practice, because a node deployed in this manner should never reach the ACTIVE state, but it still represents a danger in environments running with non-defa…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 1.1 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5openstack/ironic24 — 24.1.3+2

▶PyPIopenstack/ironic25.0.0 — 26.1.1+2

▶Debianopenstack/ironic< 1:29.0.0-6+1

🔴Vulnerability Details

GHSA

OpenStack Ironic fails to restrict paths used for file:// image URLs↗2025-05-08

▶

CVEList

CVE-2025-44021: OpenStack Ironic before 29↗2025-05-08

▶

OSV

OpenStack Ironic fails to restrict paths used for file:// image URLs↗2025-05-08

▶

OSV

CVE-2025-44021: OpenStack Ironic before 29↗2025-05-08

▶

📋Vendor Advisories

Red Hat

openstack-ironic: unsafe image file:// paths↗2025-05-08

▶

Debian

CVE-2025-44021: ironic - OpenStack Ironic before 29.0.1 can write unintended files to a target node disk ...↗2025

▶