CVE-2025-62878: Critical 10.0 Vulnerability Found in Kubernetes Local Path Provisioner

A maximum-severity vulnerability has been uncovered in a core Kubernetes storage component, leaving nodes wide open to unauthorized file manipulation. The SUSE Rancher Security team has issued an urgent advisory for the Local Path Provisioner, a popular tool used to manage local storage in Kubernetes clusters.

Tracked as CVE-2025-62878, the flaw carries a perfect CVSS score of 10.0, signaling a catastrophic risk for unpatched environments. The vulnerability allows attackers to break out of their storage “sandbox” and write files anywhere on the host operating system.

The issue lies in how the provisioner handles user-defined file paths. Specifically, the pathPattern parameter, which determines where data is stored on the node, failed to properly sanitize input.

By injecting simple directory traversal characters (like ../../), a malicious user can trick the system into creating storage volumes outside the intended directory.

The advisory explains: “A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories”.

In a standard setup, the provisioner is supposed to restrict storage to a specific base path. However, this vulnerability effectively erases that boundary. An attacker could configure a storage class to point to critical system folders, such as /etc.

“Previously, a malicious user could manipulate pathPattern to escape the base path and create volumes pointing to sensitive or unintended directories (for example, /etc), potentially overwriting host files or gaining unauthorized access,” the advisory warns.

This means a standard user with permission to create storage resources could theoretically overwrite system configuration files, plant malicious scripts, or crash the node entirely.

The fix involves stricter validation logic that rejects any path traversal attempts. The maintainers have released version v0.0.34 to address the flaw.

For administrators running older versions, there is no temporary fix. “There are no workarounds for this issue. Users must upgrade to a patched version of local-path-provisioner to fully mitigate the vulnerability,” the advisory states.

With a CVSS score of 10, this is a “drop everything and patch” scenario for any team utilizing the Local Path Provisioner in their Kubernetes infrastructure.

Related Posts:

• Critical Step CA Flaw (CVE-2025-44005, CVSS 10.0) Allows Unauthenticated Bypass to Issue Fraudulent Certificates
• iOS 26 Password App Gains Major Upgrade: View Full History of Saved Credentials
• Google Formally Integrates Kubernetes Engine and GPU Services
• Evolving Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters