CVE-2025-68476 is a path traversal vulnerability (CWE-22) in the KEDA autoscaling component for Kubernetes, specifically impacting the handling of TriggerAuthentication resources that configure HashiCorp Vault authentication. The vulnerability arises from insufficient validation of the pathname used to load the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount. An attacker who can create or modify TriggerAuthentication resources can exploit this flaw to read arbitrary files from the node's filesystem where the KEDA pod runs. This is achieved by manipulating the Vault authentication request to exfiltrate file contents to an attacker-controlled server. The vulnerability does not require user interaction and can be exploited remotely if the attacker has the necessary Kubernetes resource permissions (PR:H). The impact is high due to the potential disclosure of sensitive information such as secrets, keys, or system files, which could facilitate further attacks or compromise. The vulnerability affects KEDA versions prior to 2.17.3 and versions from 2.18.0 up to but not including 2.18.3. The issue has been addressed in versions 2.17.3 and 2.18.3 by improving path validation controls. No known exploits are currently reported in the wild, but the high CVSS score of 8.2 reflects the criticality of the flaw given the sensitive nature of the data accessible and the ease of exploitation by authorized users. Organizations using KEDA in Kubernetes environments with Vault integration should prioritize patching and review RBAC policies to limit TriggerAuthentication resource modifications.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data within Kubernetes clusters, particularly those leveraging KEDA for autoscaling and integrating with HashiCorp Vault for secret management. Successful exploitation can lead to the disclosure of critical system files and secrets, potentially enabling lateral movement, privilege escalation, or disruption of services. This is especially impactful for sectors with stringent data protection requirements such as finance, healthcare, and critical infrastructure. The exposure of secrets or keys could also violate GDPR mandates on data security and breach notification. Additionally, organizations relying on multi-tenant Kubernetes clusters or managed cloud services may face increased risk if attackers gain resource modification permissions. The vulnerability could undermine trust in cloud-native deployments and complicate compliance efforts. Given the widespread adoption of Kubernetes and Vault in Europe, the threat could affect a broad range of enterprises and public sector entities.

1. Upgrade all KEDA deployments to versions 2.17.3 or 2.18.3 or later, where the vulnerability is patched. 2. Implement strict Role-Based Access Control (RBAC) policies to restrict who can create or modify TriggerAuthentication resources, limiting this capability to trusted administrators only. 3. Audit existing TriggerAuthentication resources for suspicious configurations or unauthorized changes. 4. Monitor Kubernetes API server logs and Vault authentication requests for anomalous activity indicative of exploitation attempts. 5. Employ network segmentation and egress filtering to prevent unauthorized exfiltration of data from Kubernetes nodes. 6. Use Kubernetes admission controllers or policy engines (e.g., OPA/Gatekeeper) to enforce validation rules on TriggerAuthentication resources. 7. Regularly review and rotate secrets stored in Vault to minimize the impact of potential leaks. 8. Educate DevOps and security teams about the risks associated with resource permissions and the importance of patch management in cloud-native environments.