### [CVE-2025-58061](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58061)
![](https://img.shields.io/static/v1?label=Product&message=rawfile-localpv&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%200.10.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-200%3A%20Exposure%20of%20Sensitive%20Information%20to%20an%20Unauthorized%20Actor&color=brightgreen)

### Description

OpenEBS Local PV RawFile allows dynamic deployment of Stateful Persistent Node-Local Volumes & Filesystems for Kubernetes. Prior to version 0.10.0, persistent volume data is world readable and that would allow non-privileged users to access sensitive data such as databases of k8s workload. The rawfile-localpv storage class creates persistent volume data under /var/csi/rawfile/ on Kubernetes hosts by default. However, the directory and data in it are world-readable. It allows non-privileged users to access the whole persistent volume data, and those can include sensitive information such as a whole database if the Kubernetes tenants are running MySQL or PostgreSQL in a container so it could lead to a database breach. This issue has been patched in version 0.10.0.

### POC

#### Reference
- https://github.com/openebs/rawfile-localpv/security/advisories/GHSA-wh95-vw4r-xwx4

#### Github
No PoCs found on GitHub currently.