Ecosystem	Package	Version

Vulnerabilities

CVE-2025-62878

CVE-2025-62878

A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.

Published Feb 5, 2026

https://github.com/advisories/GHSA-jr3w-9vfr-c746

CVSS ScoreCritical

10.0

Ecosystem	Package	Version


golang	github.com/rancher/local-path-provisioner	v0.0.11-rc1
golang	github.com/rancher/local-path-provisioner	v0.0.11-rc2
golang	github.com/rancher/local-path-provisioner	v0.0.11
golang	github.com/rancher/local-path-provisioner	v0.0.12
golang	github.com/rancher/local-path-provisioner	v0.0.13
golang	github.com/rancher/local-path-provisioner	v0.0.14
golang	github.com/rancher/local-path-provisioner	v0.0.15
golang	github.com/rancher/local-path-provisioner	v0.0.16
golang	github.com/rancher/local-path-provisioner	v0.0.17
golang	github.com/rancher/local-path-provisioner	v0.0.18
golang	github.com/rancher/local-path-provisioner	v0.0.19
golang	github.com/rancher/local-path-provisioner	v0.0.20
golang	github.com/rancher/local-path-provisioner	v0.0.21
golang	github.com/rancher/local-path-provisioner	v0.0.22
golang	github.com/rancher/local-path-provisioner	v0.0.23
golang	github.com/rancher/local-path-provisioner	v0.0.24
golang	github.com/rancher/local-path-provisioner	v0.0.25
golang	github.com/rancher/local-path-provisioner	v0.0.26
golang	github.com/rancher/local-path-provisioner	v0.0.27
golang	github.com/rancher/local-path-provisioner	v0.0.28-rc1
golang	github.com/rancher/local-path-provisioner	v0.0.28
golang	github.com/rancher/local-path-provisioner	v0.0.29
golang	github.com/rancher/local-path-provisioner	v0.0.30
golang	github.com/rancher/local-path-provisioner	v0.0.31
golang	github.com/rancher/local-path-provisioner	v0.0.32
golang	github.com/rancher/local-path-provisioner	v0.0.33

CVE-2025-62878 | Components Impacted | Sonatype Guide | Sonatype Guide