Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-w54x-xfxg-4gxq

GitHub Security Advisory

NeuVector process with sensitive arguments lead to leakage

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact

When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation. For example,

```
java -cp /app ... Djavax.net.ssl.trustStorePassword=<Password>
```

The command with the password appears in the NeuVector security event. To prevent this, NeuVector uses the following default regular expression to detect and redact sensitive data from process commands:

```
(?i)(password|passwd|token)
```

Also, you can define custom patterns to redact by creating a Kubernetes ConfigMap. For example:

```
kubectl create configmap neuvector-custom-rules --from-file=secret-patterns.yaml -n neuvector
```

Sample `secret-patterns.yaml` content:

```
Pattern_list:
- (?i)(pawd|pword)
- (?i)(secret)
```

NeuVector uses the default and custom regex to decide whether the process command in a security event should be redacted.

**Note:** If numerous regular expression (regex) patterns are configured in the Kubernetes ConfigMap for extended coverage of sensitive data matching, it can significantly impact performance of NeuVector enforcer, particularly in scenarios involving large inputs or frequent execution. The primary factor contributing to performance issues in regex is backtracking, where the regex engine attempts various matching paths when a pattern doesn't immediately find a match.

### Patches

This issue is fixed in NeuVector version **5.4.6** and later.

### Workarounds

There is no workaround. Upgrade to a patched version of NeuVector as soon as possible.

### References

If you have any questions or comments about this advisory:

- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.
- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.
- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).

Affected Packages

Go github.com/neuvector/neuvector
Affected versions: 5.0.0 (fixed in 5.4.6)

Related CVEs

CVE-2025-54467

Key Information

GHSA ID
GHSA-w54x-xfxg-4gxq
Published
August 28, 2025 1:33 PM
Last Modified
September 17, 2025 7:12 PM
CVSS Score
5.0 /10
Primary Ecosystem
Go
Primary Package
github.com/neuvector/neuvector
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.