What is the CVSS score of CVE-2025-53542?

CVE-2025-53542 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Kubernetes are affected by CVE-2025-53542?

Headlamp versions before 0.31.1 contain a command injection vulnerability in the macOS build pipeline that allows local attackers to execute arbitrary commands through unsanitized environment…. A patch is available.

How to fix or mitigate CVE-2025-53542?

Within 24 hours: identify all systems running Headlamp versions prior to 0.31.1, particularly in CI/CD pipelines and developer workstations; document current version inventory. Within 7 days: upgrade all affected Headlamp installations to version 0.31.1 or later; verify patch application across all macOS build agents. Within 30 days: audit recent build logs for suspicious environment variable modifications or unexpected command execution; implement environment variable validation controls in CI/CD workflows.

Kubernetes CVE-2025-53542

EUVD-2025-21025 HIGH

OS Command Injection (CWE-78)

2025-07-10 security-advisories@github.com

RCE Kubernetes Command Injection Node.js macOS

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:28 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

0.31.1

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21025

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

CVE Published

Jul 10, 2025 - 19:15 nvd

HIGH 7.7

DescriptionNVD

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync() function with unsanitized input derived from environment variables, which can be influenced by an attacker. The variables ${teamID}, ${entitlementsPath}, and ${config.app} are dynamically derived from the environment or application config and passed directly to the shell command without proper escaping or argument separation. This exposes the system to command injection if any of the values contain malicious input. This vulnerability is fixed in 0.31.1.

AnalysisAI

CVE-2025-53542 is a command injection vulnerability in Headlamp's macOS packaging workflow (codeSign.js) where unsanitized environment variables and config values are passed directly to Node.js execSync() without proper escaping, allowing local attackers to execute arbitrary commands. This affects Headlamp versions prior to 0.31.1, and while no active KEV or confirmed public POC is mentioned in available data, the vulnerability has a moderate-to-high CVSS score of 7.7 with user interaction required, making it a realistic threat in CI/CD and development environments.

Technical ContextAI

The vulnerability resides in the codeSign.js script used during macOS application packaging in the Headlamp Kubernetes web UI project. The root cause is improper use of Node.js's execSync() function (CWE-78: Improper Neutralization of Special Elements used in an OS Command), a classic OS command injection flaw. Specifically, template variables ${teamID}, ${entitlementsPath}, and ${config.app} are derived from environment variables or application configuration and concatenated directly into shell commands without sanitization, escaping, or argument separation. This allows an attacker who controls these environment variables (e.g., in a compromised build pipeline, through .env files, or via system environment poisoning) to inject shell metacharacters (pipes, semicolons, backticks, command substitution) to execute arbitrary code. The execSync() function spawns a shell interpreter, making it inherently dangerous with untrusted input; proper remediation requires either using execFileSync() with argument arrays or rigorous input validation/escaping.

RemediationAI

Immediate remediation: (1) Upgrade Headlamp to version 0.31.1 or later, which should include proper input sanitization or refactored command invocation. (2) Patch codeSign.js by replacing the unsafe execSync() call with execFileSync() using an array of arguments (e.g., execFileSync('codesign', ['-s', teamID, '--entitlements', entitlementsPath, config.app]) to prevent shell interpretation), or by using a library like 'shell-escape' or 'shellwords' for proper escaping if shell execution is necessary. (3) Short-term workaround: restrict environment variable access in build pipelines using principle of least privilege; validate that ${teamID}, ${entitlementsPath}, and ${config.app} match expected patterns (regex whitelist) before the build runs. (4) Code review: audit all other Node.js build scripts (webpack config, build.js, etc.) for similar execSync() misuse. Vendor should publish a security advisory with patch details; check Headlamp's GitHub releases (github.com/kinvolk/headlamp or equivalent) for v0.31.1+ release notes.

CVE-2025-53542 vulnerability details – vuln.today

Back

Kubernetes CVE-2025-53542

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code