Request for Patch Timeline: CVEs in CSI Secrets Store Driver v1.5.1

[salujaaa]

Hey,

I am writing on behalf of AWS, regarding FedRAMP Common Vulnerabilities and Exposures (CVEs).

We are currently using the secrets-store-csi-driver container (v1.5.1) and have identified the following CVEs flagged in our vulnerability scans:

• CVE-2025-4598
• CVE-2025-4802

Could you please confirm whether a patch for these vulnerabilities is planned or available? If so, please share the expected timeline for release.

Thank you,
Sahil Saluja

[k8s-ci-robot]

This issue is currently awaiting triage.

If secrets-store-csi-driver contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mswilson]

Regarding CVE-2025-4802, this is almost certainly a false positive finding. This is a vulnerability related to hypothetical statically-compiled setuid root binaries. Such binaries can use dlopen() to access library functionality dynamically, and such library functionality can be intercepted by attackers if they can redirect which library gets used at runtime to one they control.

At the time this vulnerability was disclosed, there were no known vulnerable binaries in any Linux distribution (reference: the glibc advisory). However, the possibility that such a vulnerable binary could be produced can not be discounted.