Security Advisories and CVEs

NeuVector is committed to informing the community of security issues. Below is a CVE reference list of published security advisories and CVEs (Common Vulnerabilities and Exposures) for issues we have resolved.

CVE List

ID Description Date Resolution

ID	Description	Date	Resolution
CVE-2025-8077	For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change their password after the first UI login is successful.	25 Aug 2025	NeuVector v5.4.6
CVE-2025-53884	NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords. For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login.	25 Aug 2025	NeuVector v5.4.6
CVE-2025-54467	By default, NeuVector redacts process commands that contain the strings `password`, `passwd`, `pwd`, `token`, or `key` in security logs, syslog, enforcer debug logs, controller debug logs, webhooks, and support logs. Users can configure a Kubernetes ConfigMap to define custom regex patterns for additional process commands to redact.	25 Aug 2025	NeuVector v5.4.6
CVE-2025-46808	Sensitive information may be logged in the manager container depending on logging configuration and credential permissions. For more information, refer to Sensitive information exposure in NeuVector manager container logs.	09 Jul 2025	NeuVector v5.4.5
CVE-2024-38095	In .NET, a malicious X.509 certificate or certificate chain can cause excessive CPU consumption, resulting in denial of service. This CVE was flagged as an affected .NET library detection issue.	09 Jul 2025	NeuVector v5.4.5
CVE-2024-7347	The NGINX `ngx_http_mp4_module` vulnerability allows crafted MP4 files to cause memory over-reads and worker process termination. This CVE was reported in NeuVector 5.4.2 as a possible false negative detection in the vulnerability scanner. The issue was related to detection accuracy and not to the NeuVector product itself.	15 Jan 2025	NeuVector v5.4.2
CVE-2018-20796	In the GNU C Library through 2.29, check_dst_limits_calc_pos_1 in `posix/regexec.c` has Uncontrolled Recursion.	15 Jan 2025	Not applicable, flagged in v5.4.2 as a false positive.
CVE-2024-41110	A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.	16 Nov 2024	NeuVector v5.4.1
CVE-2020-26160	`jwt-go` allows attackers to bypass intended access restrictions in situations with `[]string{}` for `m["aud"]` (which is allowed by the specification). Because the type assertion fails, "" is the value of `aud`. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of `jwt-go` are advised to migrate to `golang-jwt` at version 3.2.1.	16 Nov 2024	NeuVector v5.4.1

CVE-2025-8077

For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change their password after the first UI login is successful.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-53884

NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords. For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-54467

By default, NeuVector redacts process commands that contain the strings password, passwd, pwd, token, or key in security logs, syslog, enforcer debug logs, controller debug logs, webhooks, and support logs. Users can configure a Kubernetes ConfigMap to define custom regex patterns for additional process commands to redact.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-46808

Sensitive information may be logged in the manager container depending on logging configuration and credential permissions. For more information, refer to Sensitive information exposure in NeuVector manager container logs.

09 Jul 2025

NeuVector v5.4.5

CVE-2024-38095

In .NET, a malicious X.509 certificate or certificate chain can cause excessive CPU consumption, resulting in denial of service. This CVE was flagged as an affected .NET library detection issue.

09 Jul 2025

NeuVector v5.4.5

CVE-2024-7347

The NGINX ngx_http_mp4_module vulnerability allows crafted MP4 files to cause memory over-reads and worker process termination. This CVE was reported in NeuVector 5.4.2 as a possible false negative detection in the vulnerability scanner. The issue was related to detection accuracy and not to the NeuVector product itself.

15 Jan 2025

NeuVector v5.4.2

CVE-2018-20796

In the GNU C Library through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion.

15 Jan 2025

Not applicable, flagged in v5.4.2 as a false positive.

CVE-2024-41110

A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.

16 Nov 2024

NeuVector v5.4.1

CVE-2020-26160

jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1.

16 Nov 2024

NeuVector v5.4.1

Sensitive information exposure in NeuVector manager container logs

CVE ID: CVE-2025-46808 CVSS Score: 6.8- AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CWE: CWE-532: Insertion of Sensitive Information into Log File

Affected Versions

All versions earlier than 5.0.0
Versions from 5.0.0 up to and including 5.4.4

Fixed version: 5.4.5

Impact

A vulnerability has been identified in the NeuVector version up to and including 5.4.4, where sensitive information is leaked into the manager container’s log. The listed fields can be caught in the log:

Field Field Description Where it Appears Reproduction Environment

Field	Field Description	Where it Appears	Reproduction	Environment
`X-R-Sess`	Rancher’s session token for single sign on token	Request header	Log in via Rancher UI and access NeuVector SSO	Rancher with NeuVector SSO
`personal_access_token`	The Github / Azure DevOps token	Request body	Submit remote repository config under Configuration > Settings	NeuVector
`token1.token`	NeuVector user’s session token	Response body	Send GET request through NeuVector web server’s API: `https://<neuvector ui’s url>/user?name=<username>`	NeuVector
`rekor_public_key`, `root_cert`, `sct_public_key`	Rekor public key, Root certificate, Signed certificate timestamp(SCT) Public Key in private root of trust	Request body	Create/update private root of trust from Sigstore page	NeuVector
public_key	Verifier’s public key	Request body	Create/update verifier in Sigstore page	NeuVector

X-R-Sess

Rancher’s session token for single sign on token

Request header

Rancher with NeuVector SSO

personal_access_token

The Github / Azure DevOps token

Request body

Submit remote repository config under Configuration > Settings

NeuVector

token1.token

NeuVector user’s session token

Response body

Send GET request through NeuVector web server’s API: https://<neuvector ui’s url>/user?name=<username>

NeuVector

rekor_public_key, root_cert, sct_public_key

Rekor public key, Root certificate, Signed certificate timestamp(SCT) Public Key in private root of trust

Request body

Create/update private root of trust from Sigstore page

NeuVector

public_key

Verifier’s public key

Request body

Create/update verifier in Sigstore page

NeuVector

NeuVector installations that have the single sign-on integration with Rancher Manager and the Remote Repository Configuration disabled are not affected by this issue.

In the patched version, X-R-Sess is partially masked so that users can confirm what is being used while still keeping it safe for consumption. The log, which includes personal_access_token, token, rekor_public_key, root_cert, sct_public_key, and public key are removed, as the request body is not mandatory in the log.

The severity of the vulnerability depends on your logging strategy.
Local logging (default): Limits exposure of impact.
External logging: Vulnerability’s severity increases, the impact depends on security measures implemented at the external log collector level.
The final impact severity for confidentiality, integrity and availability is dependent on the permissions that the leaked credentials have on their own services.

Please consult the associated Unsecured credentials for further information about this category of attack.

Patches

Patched versions include release 5.4.5 and above. Users are advised to rotate the GitHub token used in Remote Repository Configuration once they have upgraded to a fixed version.

Workarounds

No workarounds are currently available. Customers are advised to upgrade to a fixed version at their earliest convenience.

Questions and Support

Contact the SUSE Rancher Security team
Open an issue in the NeuVector GitHub repository
References:
- NeuVector Support Matrix
- Product Support Lifecycle