CVE-2025-7445 Overview
CVE-2025-7445 affects the Kubernetes secrets-store-sync-controller in versions before 0.0.2. The controller writes service account tokens into its log output, exposing sensitive authentication material to anyone with log read access. The flaw is categorized as Insertion of Sensitive Information into Log File [CWE-532]. An attacker with local access to logs can retrieve tokens and authenticate to the Kubernetes API as the impersonated service account. The vulnerability requires low privileges and no user interaction, and it impacts confidentiality without affecting integrity or availability.
Critical Impact
Service account tokens written to controller logs can be reused by anyone with log read access to authenticate to the Kubernetes API as the affected workload identity.
Affected Products
- Kubernetes secrets-store-sync-controller versions prior to 0.0.2
- Clusters using the Secrets Store CSI ecosystem with the sync controller deployed
- Workloads relying on service account token projection through the controller
Discovery Timeline
- 2025-09-05 - CVE-2025-7445 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7445
Vulnerability Analysis
The secrets-store-sync-controller synchronizes external secrets into Kubernetes Secret objects. To authenticate to external providers on behalf of workloads, the controller requests projected service account tokens from the API server. In versions prior to 0.0.2, these token values appear in standard controller log output rather than being redacted. Pod logs are typically accessible to cluster operators, log aggregation pipelines, and any principal granted get or list on pods/log in the controller namespace. A local attacker with such access can harvest valid tokens. Because the leaked tokens are bound to workload service accounts, an attacker can reuse them against the Kubernetes API or external secret backends until the tokens expire.
Root Cause
The defect is an information exposure through log files [CWE-532]. The controller logs request or response data containing the token field without scrubbing. Sensitive credentials should be replaced with placeholder values before any structured or unstructured log output is emitted.
Attack Vector
The attack vector is local. An attacker with read access to controller pod logs, the node filesystem under /var/log/pods/, or downstream log storage retrieves the token string. The attacker then presents the token to kube-apiserver as a Bearer credential or uses it against the secrets backend the controller targets. No exploit code is required beyond standard kubectl logs or log query tooling.
Detection Methods for CVE-2025-7445
Indicators of Compromise
- Controller log entries from secrets-store-sync-controller containing JSON Web Token (JWT) strings matching the pattern eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+
- Kubernetes audit log entries showing API authentication using a service account token from an unexpected source IP or user agent
- Access to pods/log for the controller namespace by accounts that do not normally consume those logs
Detection Strategies
- Scan archived controller logs and SIEM indexes for JWT patterns and correlate matches with the issuing service account iss and sub claims
- Enable Kubernetes audit logging at Metadata level or higher and alert on service account token use from outside expected pod CIDR ranges
- Review RBAC bindings granting get/list on pods/log in namespaces hosting the sync controller
Monitoring Recommendations
- Forward controller logs through a redaction layer that masks Bearer tokens and JWT structures before storage
- Alert on log volume anomalies from secrets-store-sync-controller pods that may indicate token reissuance loops
- Track service account token reviews via TokenReview API calls and flag tokens used outside their bound pod lifetime
How to Mitigate CVE-2025-7445
Immediate Actions Required
- Upgrade the secrets-store-sync-controller deployment to version 0.0.2 or later
- Rotate any service account tokens potentially exposed by prior controller log output
- Purge historical log data containing leaked tokens from log aggregation systems and node storage
- Restrict RBAC permissions on pods/log in the controller namespace to a minimum set of operators
Patch Information
The fix is included in secrets-store-sync-controller version 0.0.2. Refer to the Kubernetes Security Announcement and the upstream GitHub Issue Report for release details and remediation guidance.
Workarounds
- Lower the controller log verbosity to suppress request and response payloads until the upgrade is applied
- Apply a log-processing filter at the collector (Fluent Bit, Vector, Logstash) to strip JWT-shaped strings before persistence
- Shorten projected service account token lifetimes via the expirationSeconds field to limit the window of token reuse
# Configuration example: shorten projected token lifetime and reduce controller verbosity
kubectl -n secrets-store-sync-system set image \
deployment/secrets-store-sync-controller \
manager=registry.k8s.io/secrets-store-sync/controller:v0.0.2
kubectl -n secrets-store-sync-system patch deployment secrets-store-sync-controller \
--type=json -p='[{"op":"replace","path":"/spec/template/spec/containers/0/args",\
"value":["--v=2","--zap-log-level=info"]}]'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
