CVE-2025-1767: 
Wolfi vulnerability analysis and mitigation

CVE-2025-1767 is a security vulnerability discovered in Kubernetes that affects clusters utilizing the in-tree gitRepo volume feature. The vulnerability was disclosed on March 13, 2025, and allows users with create pod permission to exploit gitRepo volumes to access local git repositories belonging to other pods on the same node (Kubernetes Issue, OSS Security).

The vulnerability has been rated as Medium severity with a CVSS v3.1 score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). It specifically affects the kubelet component in all versions of Kubernetes. The vulnerability exists in the in-tree gitRepo volume feature, which has been deprecated and will not receive security updates upstream (OSS Security).

The vulnerability allows attackers with pod creation privileges to access local git repositories belonging to other pods running on the same node, potentially leading to unauthorized access to sensitive repository data (OSS Security).

To mitigate this vulnerability, administrators should use an init container to perform git clone operations and then mount the directory into the Pod's container. Additionally, the use of gitRepo volumes can be restricted using ValidatingAdmissionPolicy or through Restricted pod security standard policy. A CEL expression can be used to reject gitRepo volumes: has(object.spec.volumes) || !object.spec.volumes.exists(v, has(v.gitRepo)) (OSS Security).