CVE-2025-25209

Rhcl: sharedsecretref can be used to leak secrets severity

Description

The AuthPolicy metadata on Red Hat Connectivity Link contains an object which stores secretes, however it assumes those secretes are already in the kuadrant-system instead of copying it to the referred namespace. This creates space for a malicious actor with a developer persona access to leak those secrets over HTTP connection, as long the attacker knows the name of the targeted secrets and those secrets are limited to one line only.

Remediation

Workaround:

  • There's no known mitigation for this issue.

Category

5.7
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Affected: Red Hat Red Hat Connectivity Link 1
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/security/cve/CVE-2025-25209 vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2347438 issue tracking

Frequently Asked Questions

What is the severity of CVE-2025-25209?
CVE-2025-25209 has been scored as a medium severity vulnerability.
How to fix CVE-2025-25209?
As a workaround for remediating CVE-2025-25209: There's no known mitigation for this issue.
Is CVE-2025-25209 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-25209 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-25209?
CVE-2025-25209 affects Red Hat Red Hat Connectivity Link 1.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.