Security Advisories and CVEs

NeuVector is committed to informing the community of security issues. Below is a CVE reference list of published security advisories and CVEs (Common Vulnerabilities and Exposures) for issues we have resolved.

CVE List

ID	Description	Date	Release
CVE-2025-8077	For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change password after the first UI login is successful.	25 Aug 2025	NeuVector v5.4.6
CVE-2025-53884	NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords.For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login.	25 Aug 2025	NeuVector v5.4.6
CVE-2025-54467	By default, NeuVector redacts process commands that contain the strings password,passwd, pwd, token, or key in security logs, syslog, enforcer debug logs, controller debug logs, webhooks, and support logs. Users can configure a Kubernetes ConfigMap to define custom regex patterns for additional process commands to redact.	25 Aug 2025	NeuVector v5.4.6

Description

Date

Release

CVE-2025-8077

For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change password after the first UI login is successful.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-53884

NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords.For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login.

25 Aug 2025

NeuVector v5.4.6

CVE-2025-54467

By default, NeuVector redacts process commands that contain the strings password,passwd, pwd, token, or key in security logs, syslog, enforcer debug logs, controller debug logs, webhooks, and support logs. Users can configure a Kubernetes ConfigMap to define custom regex patterns for additional process commands to redact.

25 Aug 2025

NeuVector v5.4.6

Sensitive Information Exposure in NeuVector Manager Container Logs

CVE ID: CVE-2025-46808 CVSS Score: 6.8 — AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CWE: CWE-532: Insertion of Sensitive Information into Log File

Affected Versions

All versions earlier than 5.0.0
Versions from 5.0.0 up to and including 5.4.4

Fixed version: 5.4.5

Impact

A vulnerability has been identified in NeuVector versions up to and including 5.4.4, where sensitive information is leaked into the manager container’s log. The following fields may be exposed:

Field Field Description Where it Appears Reproduction Environment

Field	Field Description	Where it Appears	Reproduction	Environment
`X-R-Sess`	Rancher’s session token for single sign-on	Request header	Log in via Rancher UI and access NeuVector SSO	Rancher with NeuVector SSO
`personal_access_token`	GitHub / Azure DevOps token	Request body	Submit remote repository config under Configuration > Settings	NeuVector
`token1.token`	NeuVector user’s session token	Response body	GET request to `https://<neuvector-ui-url>/user?name=<username>`	NeuVector
`rekor_public_key`, `root_cert`, `sct_public_key`	Rekor public key, Root certificate, SCT public key in private root of trust	Request body	Create/update private root of trust in Sigstore page	NeuVector
`public_key`	Verifier’s public key	Request body	Create/update verifier in Sigstore page	NeuVector

X-R-Sess

Rancher’s session token for single sign-on

Request header

Rancher with NeuVector SSO

personal_access_token

GitHub / Azure DevOps token

Request body

Submit remote repository config under Configuration > Settings

NeuVector

token1.token

NeuVector user’s session token

Response body

GET request to https://<neuvector-ui-url>/user?name=<username>

NeuVector

rekor_public_key, root_cert, sct_public_key

Rekor public key, Root certificate, SCT public key in private root of trust

Request body

Create/update private root of trust in Sigstore page

NeuVector

public_key

Verifier’s public key

Request body

Create/update verifier in Sigstore page

NeuVector

NeuVector installations that do not use Rancher SSO or Remote Repository Configuration are not affected by this issue.

In the patched version, the X-R-Sess value is partially masked for safety. Other fields such as personal_access_token, token, rekor_public_key, root_cert, sct_public_key, and public_key are no longer logged, as request body logging was removed.

The severity of this vulnerability depends on your logging strategy:
- Local logging (default): Limits impact exposure.
- External logging: Increases risk, depending on your external log collector’s security posture.
Impact severity may also depend on the permissions of the exposed credentials.

Patches

Patched versions include 5.4.5 and above. Users should rotate any GitHub token used in Remote Repository Configuration after upgrading.

Workarounds

No workarounds are currently available. Upgrade to the fixed version as soon as possible.

Questions and Support

Contact the SUSE Rancher Security team.
Open an issue in the NeuVector GitHub repository.
References:
- NeuVector Support Matrix
- Product Support Lifecycle