Nixpkgs Security Tracker

Permalink CVE-2025-62878

9.9 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 2 weeks, 2 days ago by @mweinelt Activity log

Created automatic suggestion 3 weeks, 3 days ago
@mweinelt removed
2 packages
- terraform-providers.rancher2
- terraform-providers.rancher_rancher2
2 weeks, 2 days ago

Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern

A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.

References

Affected products

github.com/rancher/local-path-provisioner

<0.0.34

Matching in nixpkgs

pkgs.rancher

Rancher Command Line Interface (CLI) is a unified tool for interacting with your Rancher Server

nixos-unstable 2.13.2
- nixpkgs-unstable 2.13.2
- nixos-unstable-small 2.13.2
nixos-25.11 2.12.3
- nixos-25.11-small 2.12.3
- nixpkgs-25.11-darwin 2.12.3

Ignored packages (2)

pkgs.terraform-providers.rancher2

None

nixos-unstable rancher2-13.1.4
- nixpkgs-unstable rancher2-13.1.4
- nixos-unstable-small rancher2-13.1.4
nixos-25.11 rancher2-8.3.1
- nixos-25.11-small rancher2-8.3.1
- nixpkgs-25.11-darwin rancher2-8.3.1

pkgs.terraform-providers.rancher_rancher2