CVE-2025-64433 — Path Traversal in Kubevirt

CWE-22 — Path Traversal7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 78.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubevirt Kubevirt.io Kubevirt

Timeline

PublishedNov 7

Latest updateNov 17

Description

KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod's file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod's file system. Since libvirt can treat r…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5kubevirt/kubevirt< 1.5.3+1

▶NVDkubevirt/kubevirt< 1.5.3+1

▶Gokubevirt.io/kubevirt1.6.0-alpha.0 — 1.6.0-beta.0.0.20250801195231-a81b27d4600c+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

KubeVirt Arbitrary Container File Read in kubevirt.io/kubevirt↗2025-11-17

▶

CVEList

KubeVirt Arbitrary Container File Read↗2025-11-07

▶

OSV

KubeVirt Arbitrary Container File Read↗2025-11-06

▶

GHSA

KubeVirt Arbitrary Container File Read↗2025-11-06

▶

📋Vendor Advisories

Microsoft

KubeVirt Arbitrary Container File Read↗2025-11-11

▶

Red Hat

kubevirt.io/kubevirt: KubeVirt Arbitrary Container File Read↗2025-11-07

▶