CVE-2025-54468

CWE-200 — Information Exposure5 documents4 sources

Severity

4.7MEDIUM

EPSS

0.0%

top 99.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Rancher Github.com Rancher/rancher

Timeline

PublishedOct 2

Latest updateOct 23

Description

A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. email addresses.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5suse/rancher2.12.0 — 2.12.2+3

▶Gogithub.com/rancher/rancher2.12.0 — 2.12.2+3

🔴Vulnerability Details

OSV

Rancher sends sensitive information to external services through the `/meta/proxy` endpoint in github.com/rancher/rancher↗2025-10-23

▶

CVEList

Rancher sends sensitive information to external services through the `/meta/proxy` endpoint↗2025-10-02

▶

GHSA

Rancher sends sensitive information to external services through the `/meta/proxy` endpoint↗2025-09-26

▶

OSV

Rancher sends sensitive information to external services through the `/meta/proxy` endpoint↗2025-09-26

▶