GHSA-h773-7gf7-9m2x

Source

https://github.com/advisories/GHSA-h773-7gf7-9m2x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-h773-7gf7-9m2x/GHSA-h773-7gf7-9m2x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h773-7gf7-9m2x

Aliases

Related

CGA-26m7-7hp5-7gpg

Published

2025-10-21T20:26:25Z

Modified

2026-02-04T03:07:28.924422Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

NeuVector is shipping cryptographic material into its binary

Details

Impact

NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.

In the patched version, NeuVector leverages the Kubernetes secret neuvector-store-secret in neuvector namespace to dynamically generate cryptographically secure random keys. This approach removes the reliance on static key values and ensures that encryption keys are managed securely within Kubernetes.

During rolling upgrade or restoring from persistent storage, the NeuVector controller checks each encrypted configured field. If a sensitive field in the configuration is found to be encrypted by the default encryption key, it’s decrypted with the default encryption key and then re-encrypted with the new dynamic encryption key.

If the NeuVector controller does not have the correct RBAC for accessing the new secret, it writes this error log : Required Kubernetes RBAC for secrets are not found and exits.

The device encryption key is rotated every 3 months. For details, please refer to this Rotating Self-Signed Certificate documentation.

Patches

Patched versions include release v5.4.7 and above.

Workarounds

There is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector that contains the fix.

References

If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the NeuVector repository. - Verify with our support matrix and product support lifecycle.

Database specific

{
    "cwe_ids": [
        "CWE-321"
    ],
    "github_reviewed_at": "2025-10-21T20:26:25Z",
    "nvd_published_at": "2025-10-30T10:15:35Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

Go / github.com/neuvector/neuvector

Package

Name: github.com/neuvector/neuvector; View open source insights on deps.dev
Purl: pkg:golang/github.com/neuvector/neuvector

Affected ranges

Type: SEMVER
Events: Introduced

5.3.0

Fixed

5.4.7

Database specific

last_known_affected_version_range

"<= 5.4.6"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-h773-7gf7-9m2x/GHSA-h773-7gf7-9m2x.json"

Go / github.com/neuvector/neuvector

Package

Name: github.com/neuvector/neuvector; View open source insights on deps.dev
Purl: pkg:golang/github.com/neuvector/neuvector

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-20230727023453-1c4957d53911

Fixed

0.0.0-20251020133207-084a437033b4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-h773-7gf7-9m2x/GHSA-h773-7gf7-9m2x.json"