CVE-2025-62714

Oct. 24, 2025, 4:28 p.m.

8.7
High

Description

Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/service) did not enforce authentication, allowing unauthenticated users to access sensitive cluster information such as Secrets and Services directly. Although the web UI required a valid JWT for access, the API itself remained exposed to direct requests without any authentication checks. Any user or entity with network access to the Karmada Dashboard service could exploit this vulnerability to retrieve sensitive data.

Product(s) Impacted

Vendor Product Versions
Karmada
  • Karmada Dashboard
  • <0.2.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a karmada karmada_dashboard <0.2.0 / / / / / /

References

https://github.com/karmada-io/dashboard/commit/8457b8bb87725e2371a638ca5a255fd2895c70f1
https://github.com/karmada-io/dashboard/commit/d2d04909f25e96b4c20fa6b636c398bd1636ee06
https://github.com/karmada-io/dashboard/pull/271
https://github.com/karmada-io/dashboard/pull/280
https://github.com/karmada-io/dashboard/releases/tag/v0.2.0
https://github.com/karmada-io/dashboard/security/advisories/GHSA-5qjg-9mjh-4r92

Tags

security-advisories@github.com
CWE-862
2025-10-24
CVE-2025-62714

CVSS Score

8.7 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Oct. 24, 2025, 4:28 p.m.
Last Modified: Oct. 24, 2025, 4:28 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.