What is CVE-2025-29781?

CVE-2025-29781 is a medium-severity vulnerability in Metal3-io Baremetal-operator, classified under Information Disclosure. CVSS score: 6.5/10. Published 2025-03-17.

How severe is CVE-2025-29781?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Information disclosure in Metal3-io Baremetal-operator

CVE-2025-29781

The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventS…

Vulnerability class: Information Disclosure

EPSS: 0.001 (18.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

Affected products

Metal3-io Baremetal-operator — versions = 0.9.0, < 0.8.1

Weakness classification (CWE)

References

https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq (x_refsource_CONFIRM)
https://github.com/metal3-io/baremetal-operator/pull/2321 (x_refsource_MISC)
https://github.com/metal3-io/baremetal-operator/pull/2322 (x_refsource_MISC)
https://github.com/metal3-io/baremetal-operator/commit/19f8443b1fe182f76dd81b43122e8dd102f8b94c (x_refsource_MISC)
https://github.com/metal3-io/metal3-docs/blob/main/design/baremetal-operator/bmc-events.md (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-29781?: CVE-2025-29781 is a medium-severity vulnerability in Metal3-io Baremetal-operator, classified under Information Disclosure. CVSS score: 6.5/10. Published 2025-03-17.
How severe is CVE-2025-29781?: Medium severity. CVSS v3 base score is 6.5 out of 10.