ghsa-w54x-xfxg-4gxq
Vulnerability from github
Impact
When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation. For example,
java -cp /app ... Djavax.net.ssl.trustStorePassword=<Password>
The command with the password appears in the NeuVector security event. To prevent this, NeuVector uses the following default regular expression to detect and redact sensitive data from process commands:
(?i)(password|passwd|token)
Also, you can define custom patterns to redact by creating a Kubernetes ConfigMap. For example:
kubectl create configmap neuvector-custom-rules --from-file=secret-patterns.yaml -n neuvector
Sample secret-patterns.yaml content:
Pattern_list:
- (?i)(pawd|pword)
- (?i)(secret)
NeuVector uses the default and custom regex to decide whether the process command in a security event should be redacted.
Note: If numerous regular expression (regex) patterns are configured in the Kubernetes ConfigMap for extended coverage of sensitive data matching, it can significantly impact performance of NeuVector enforcer, particularly in scenarios involving large inputs or frequent execution. The primary factor contributing to performance issues in regex is backtracking, where the regex engine attempts various matching paths when a pattern doesn't immediately find a match.
Patches
This issue is fixed in NeuVector version 5.4.6 and later.
Workarounds
There is no workaround. Upgrade to a patched version of NeuVector as soon as possible.
References
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the NeuVector repository.
- Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/neuvector/neuvector"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.4.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54467"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-549"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-28T13:33:23Z",
"nvd_published_at": "2025-09-17T13:15:34Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen a Java command with password parameters is executed and terminated by NeuVector for Process rule violation. For example, \n\n```\njava -cp /app ... Djavax.net.ssl.trustStorePassword=\u003cPassword\u003e\n```\n\nThe command with the password appears in the NeuVector security event. To prevent this, NeuVector uses the following default regular expression to detect and redact sensitive data from process commands:\n\n```\n(?i)(password|passwd|token)\n```\n\nAlso, you can define custom patterns to redact by creating a Kubernetes ConfigMap. For example:\n\n```\nkubectl create configmap neuvector-custom-rules --from-file=secret-patterns.yaml -n neuvector\n```\n\nSample `secret-patterns.yaml` content:\n\n```\nPattern_list:\n - (?i)(pawd|pword)\n - (?i)(secret)\n```\n\nNeuVector uses the default and custom regex to decide whether the process command in a security event should be redacted.\n\n**Note:** If numerous regular expression (regex) patterns are configured in the Kubernetes ConfigMap for extended coverage of sensitive data matching, it can significantly impact performance of NeuVector enforcer, particularly in scenarios involving large inputs or frequent execution. The primary factor contributing to performance issues in regex is backtracking, where the regex engine attempts various matching paths when a pattern doesn\u0027t immediately find a match.\n\n### Patches\n\nThis issue is fixed in NeuVector version **5.4.6** and later.\n\n### Workarounds\n\nThere is no workaround. Upgrade to a patched version of NeuVector as soon as possible.\n\n### References\n\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
"id": "GHSA-w54x-xfxg-4gxq",
"modified": "2025-09-17T19:12:31Z",
"published": "2025-08-28T13:33:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54467"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54467"
},
{
"type": "PACKAGE",
"url": "https://github.com/neuvector/neuvector"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "NeuVector process with sensitive arguments lead to leakage"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.