CVE-2025-54471: 
Wolfi vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-54471) was discovered in NeuVector, affecting versions 5.3.0 through 5.4.6. The vulnerability stems from the use of hard-coded cryptographic keys embedded in the source code, which were used to encrypt sensitive configurations during data storage. This vulnerability was discovered and reported by Noah Gregory, and was patched in version 5.4.7 (GitHub Advisory, Miggo).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Moderate), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue involves a hard-coded cryptographic key (CWE-321) that was embedded in the source code and used at compilation time to encrypt sensitive configurations. The vulnerability allows potential exposure of encrypted data due to the predictable nature of the cryptographic key (GitHub Advisory).

The vulnerability could allow malicious actors to decrypt sensitive configuration data stored by NeuVector, potentially exposing confidential information. The impact is primarily focused on data confidentiality, with no direct effect on system integrity or availability (GitHub Advisory, Miggo).

There are no workarounds for this vulnerability. Users are strongly recommended to upgrade to NeuVector version 5.4.7 or later, which implements a new security measure using Kubernetes secrets (neuvector-store-secret) in the neuvector namespace to dynamically generate cryptographically secure random keys. The patched version also includes automatic key rotation every 3 months (GitHub Advisory).