CVE-2025-25209 MEDIUM

CVE-2025-25209: Rhcl: sharedsecretref can be used to leak secrets severity

Vendor Red Hat
Product Red Hat Connectivity Link 1
Weakness CWE-200 · Info exposure
Published June 9, 2025
Last update March 26, 2026

CVSS base score

5.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

The AuthPolicy metadata on Red Hat Connectivity Link contains an object which stores secretes, however it assumes those secretes are already in the kuadrant-system instead of copying it to the referred namespace. This creates space for a malicious actor with a developer persona access to leak those secrets over HTTP connection, as long the attacker knows the name of the targeted secrets and those secrets are limited to one line only.

Key dates

02Disclosure timeline

June 9, 2025 CVE published
March 26, 2026 Record updated