CVE-2025-62878 Overview
CVE-2025-62878 is a path traversal vulnerability [CWE-23] affecting a Kubernetes storage provisioner that creates PersistentVolumes on host nodes. A malicious user with permission to define volume parameters can manipulate the parameters.pathPattern value to direct volume creation outside the intended directory. The flaw allows attackers to write to arbitrary locations on the underlying host, including paths containing sensitive configuration or binary files.
Critical Impact
Authenticated attackers can overwrite host files or access unintended directories on cluster nodes, breaking workload isolation and enabling node compromise.
Affected Products
- Kubernetes storage provisioner referenced in GitHub Security Advisory GHSA-jr3w-9vfr-c746
- SUSE-distributed builds tracked under SUSE Bugzilla CVE-2025-62878
- Deployments consuming the affected pathPattern storage class parameter
Discovery Timeline
- 2026-02-25 - CVE-2025-62878 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-62878
Vulnerability Analysis
The vulnerability resides in how the storage provisioner resolves the parameters.pathPattern field when materializing a PersistentVolume on a host node. The provisioner accepts the pattern from user-controlled volume parameters and uses it to construct the on-disk path without validating that the resulting location stays within an approved root directory.
An attacker who can submit storage class parameters or PersistentVolumeClaim definitions can supply path traversal sequences. The provisioner then creates directories or files at the resolved location with the privileges of the node-level component, which typically runs as root. This breaks the trust boundary between tenant workloads and the host filesystem.
The scope change reflected in the CVSS vector indicates that exploitation crosses from the Kubernetes API authorization context into the host operating system. Successful exploitation can overwrite critical host files such as /etc/passwd, kubelet configuration, or container runtime sockets.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-23]. The provisioner concatenates user-controlled segments from pathPattern with a base directory and does not canonicalize the resulting path or reject .. traversal sequences.
Attack Vector
An authenticated user with low privileges submits a PersistentVolumeClaim referencing a storage class whose pathPattern contains traversal sequences. When the provisioner reconciles the claim, it creates the backing directory at the attacker-chosen host location. Because the vector is network-reachable through the Kubernetes API, no local node access is required.
The vulnerability is described in prose only — refer to the GitHub Security Advisory GHSA-jr3w-9vfr-c746 and SUSE Bugzilla CVE-2025-62878 for upstream technical details.
Detection Methods for CVE-2025-62878
Indicators of Compromise
- PersistentVolume or StorageClass objects whose parameters.pathPattern contains .., absolute paths, or symbolic link references
- Unexpected directories or files created on node filesystems outside the provisioner's documented root
- Kubelet or container runtime logs showing volume mounts resolving to system paths such as /etc, /var/lib/kubelet, or /root
Detection Strategies
- Audit Kubernetes API server logs for create and update operations on StorageClass and PersistentVolumeClaim resources, filtering for traversal characters in parameters
- Run admission policies (OPA Gatekeeper, Kyverno) that reject manifests where parameters.pathPattern does not match an allowlist regular expression
- Compare on-disk volume paths against the configured provisioner root and alert on deviations
Monitoring Recommendations
- Forward Kubernetes audit logs and node filesystem telemetry to a centralized analytics platform for correlation
- Monitor file integrity on sensitive host paths such as /etc, /usr/bin, and kubelet configuration directories
- Alert on PersistentVolume creation events targeting hostPath-style locations outside expected storage roots
How to Mitigate CVE-2025-62878
Immediate Actions Required
- Restrict who can create or modify StorageClass objects using RBAC, limiting this permission to cluster administrators
- Deploy admission controllers that validate parameters.pathPattern against a strict allowlist before objects reach the provisioner
- Inventory existing PersistentVolumes and remove any whose host paths fall outside the approved provisioning root
Patch Information
Consult the GitHub Security Advisory GHSA-jr3w-9vfr-c746 and the SUSE Bugzilla CVE-2025-62878 entry for fixed versions and upgrade instructions. Apply the upstream patch as soon as a supported release is available for your distribution.
Workarounds
- Disable dynamic provisioning for the affected storage class until patched versions are deployed
- Enforce Pod Security Admission and OPA/Kyverno policies that block PVCs referencing storage classes with user-controlled path templates
- Run the provisioner with a dedicated, unprivileged service account scoped to a single host directory mounted as a bind volume
# Example Kyverno policy fragment restricting pathPattern values
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-storageclass-pathpattern
spec:
validationFailureAction: Enforce
rules:
- name: validate-pathpattern
match:
any:
- resources:
kinds: ["StorageClass"]
validate:
message: "pathPattern must match approved allowlist"
pattern:
parameters:
pathPattern: "/var/lib/provisioner/?*"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

