CVE-2025-44021 is a path traversal vulnerability (CWE-22) affecting OpenStack Ironic versions prior to 29.0.1, specifically versions 24, 25, and 27. OpenStack Ironic is a bare-metal provisioning service used to deploy physical machines via APIs. The vulnerability arises during image handling when a deployment is performed via the API. A malicious project assigned as the node owner can specify a pathname to any local file readable by the ironic-conductor service. Due to insufficient validation of the pathname, Ironic may write unintended files to the target node's disk. This could lead to unauthorized modification of files on the target node, potentially impacting the integrity of the deployed system. However, exploitation is challenging in practice because nodes deployed in this manner should not reach the ACTIVE state, limiting the attack surface. The risk is elevated in non-default, insecure configurations, such as when automated cleaning processes are disabled, which could allow the maliciously written files to persist. The vulnerability does not affect confidentiality or availability directly but impacts integrity by enabling unauthorized file writes. The CVSS v3.1 base score is 2.8 (low severity), reflecting the limited impact and high attack complexity (local access with privileges required). No known exploits are reported in the wild. Fixed versions include 24.1.3, 26.1.1, and 29.0.1, and upgrading to these versions is recommended to mitigate the issue.

For European organizations using OpenStack Ironic for bare-metal provisioning, this vulnerability poses a risk primarily to the integrity of deployed nodes. If exploited, an attacker with project ownership privileges could manipulate files on the target node's disk, potentially inserting malicious code or altering system configurations. While the vulnerability requires local privileges and specific insecure configurations, organizations with lax operational controls or disabled automated cleaning processes are at higher risk. This could lead to compromised bare-metal servers, impacting critical infrastructure or cloud services hosted on physical hardware. The impact is more pronounced in environments where physical node integrity is paramount, such as telecommunications, finance, or government data centers. However, the low CVSS score and exploitation difficulty reduce the overall threat level. European organizations should still consider the risk in their threat models, especially those with large-scale OpenStack deployments or customized configurations deviating from defaults.

1. Upgrade OpenStack Ironic to fixed versions 24.1.3, 26.1.1, or 29.0.1 as soon as possible to eliminate the vulnerability. 2. Enforce strict access controls to ensure only trusted users have project ownership and node deployment privileges. 3. Maintain default or secure configurations, particularly ensuring automated cleaning processes are enabled to prevent persistence of malicious files on nodes. 4. Implement monitoring and auditing of deployment API calls to detect anomalous pathnames or unauthorized file writes. 5. Restrict the ironic-conductor service's file system permissions to minimize readable files that could be targeted. 6. Conduct regular security reviews of bare-metal provisioning workflows and configurations to identify and remediate insecure settings. 7. Use network segmentation and isolation for bare-metal provisioning infrastructure to limit exposure to potentially malicious actors.