CVE-2025-58061 is a medium-severity vulnerability affecting OpenEBS rawfile-localpv versions prior to 0.10.0. OpenEBS is a cloud-native storage solution for Kubernetes, and the rawfile-localpv storage class enables dynamic provisioning of persistent node-local volumes and filesystems. The vulnerability arises because the persistent volume data created under the default directory /var/csi/rawfile/ on Kubernetes hosts is world-readable. This misconfiguration allows any non-privileged user on the host to access the entire persistent volume data, which may contain sensitive information such as databases (e.g., MySQL, PostgreSQL) running inside Kubernetes pods. Since the data is exposed at the host filesystem level, unauthorized users can read confidential data without requiring elevated privileges or user interaction. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS 3.1 base score is 5.5, reflecting a medium severity with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, no integrity or availability impact. This vulnerability could lead to data breaches of sensitive workloads hosted on Kubernetes clusters using affected OpenEBS versions. The issue has been patched in version 0.10.0 by correcting the permissions on the persistent volume data directory to prevent unauthorized read access.

For European organizations deploying Kubernetes clusters with OpenEBS rawfile-localpv storage class versions prior to 0.10.0, this vulnerability poses a significant risk of sensitive data exposure. Attackers or malicious insiders with local access to Kubernetes host nodes can read persistent volume data, potentially extracting confidential business information, customer data, or intellectual property stored in databases running inside containers. This can lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and financial penalties. Since the vulnerability does not require user interaction and only low privileges, it increases the risk from insider threats or compromised hosts. The impact is particularly critical for organizations running multi-tenant Kubernetes environments or those with strict data confidentiality requirements. However, the vulnerability does not affect data integrity or availability, limiting the scope to confidentiality breaches only.

European organizations should immediately upgrade OpenEBS rawfile-localpv to version 0.10.0 or later, where the directory permissions issue is fixed. Until the upgrade is possible, organizations should manually verify and restrict permissions on the /var/csi/rawfile/ directory on Kubernetes hosts to prevent world-readable access, ensuring only the Kubernetes system and authorized users can read the persistent volume data. Implement strict host access controls and monitoring to detect unauthorized local access attempts. Employ Kubernetes security best practices such as node isolation, limiting SSH access, and using Role-Based Access Control (RBAC) to minimize the number of users with host-level access. Additionally, encrypting sensitive data at rest within the containers or databases can reduce the impact of unauthorized read access. Regular audits and vulnerability scanning of Kubernetes clusters should include checks for this vulnerability until fully remediated.