Skip to content

x/vulndb: potential Go vuln in sigs.k8s.io/secrets-store-sync-controller: GHSA-rcw7-pqfp-735x #3939

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in sigs.k8s.io/secrets-store-sync-controller: GHSA-rcw7-pqfp-735x#3939
Assignees
thatnealpatel
Labels
triaged
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Sep 5, 2025

Advisory GHSA-rcw7-pqfp-735x references a vulnerability in the following Go modules:

Module
sigs.k8s.io/secrets-store-sync-controller

Description:
Hello Kubernetes Community,

A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when there is a specific error marshaling the parameters sent to the providers.

Am I vulnerable?

To check if tokens are being logged, examine the manager container log:

kubectl logs -l 'app.kubernetes.io/part-of=secrets-store-sync-controller' -c ...

References:
- ADVISORY: https://github.com/advisories/GHSA-rcw7-pqfp-735x
- ADVISORY: https://github.com/kubernetes-sigs/secrets-store-sync-controller/security/advisories/GHSA-rcw7-pqfp-735x
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-7445
- REPORT: https://github.com/kubernetes/kubernetes/issues/133897
- WEB: https://groups.google.com/g/kubernetes-security-announce/c/NP7cQvQ1aGA

No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
- module: sigs.k8s.io/secrets-store-sync-controller
versions:
- fixed: 0.0.2
vulnerable_at: 0.0.1
summary: secrets-store-sync-controller discloses service account tokens in logs in sigs.k8s.io/secrets-store-sync-controller
cves:
- CVE-2025-7445
ghsas:
- GHSA-rcw7-pqfp-735x
references:
- advisory: GHSA-rcw7-pqfp-735x
- advisory: GHSA-rcw7-pqfp-735x
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-7445
- report: kubernetes/kubernetes#133897
- web: https://groups.google.com/g/kubernetes-security-announce/c/NP7cQvQ1aGA
source:
id: GHSA-rcw7-pqfp-735x
created: 2025-09-05T22:01:12.637795015Z
review_status: UNREVIEWED

Metadata

Metadata

Assignees

Labels

triaged

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions