CVE-2025-62159: 
MinimOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-62159) was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The vulnerability allowed unauthorized cross-namespace secret access in Kubernetes environments due to the provider retrieving Kubernetes secrets directly without proper namespace context validation or secret store type verification. The issue was disclosed on October 10, 2025, affecting the External Secrets Operator's BeyondTrust provider implementation (GitHub Advisory, NVD).

The vulnerability stems from the BeyondTrust provider's implementation which retrieved Kubernetes secrets without proper validation of namespace context or secret store type. This security flaw allowed unauthorized access across namespace boundaries, potentially exposing sensitive credentials. The vulnerability has been assigned a CVSS 4.0 score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The issue is classified under CWE-284 (Improper Access Control) (GitHub Advisory).

The vulnerability's impact is significant, potentially allowing attackers or misconfigured resources to retrieve secrets from unauthorized namespaces, unless explicitly configured as a ClusterSecretStore. This could lead to privilege escalation, data exfiltration, or compromise of service accounts and credentials (GitHub Advisory).

The vulnerability has been patched in version 0.20.0, where the provider code was updated to use the resolvers.SecretKeyRef utility, which enforces namespace validation and only allows cross-namespace access for ClusterSecretStore types. As a workaround, organizations can use a policy engine such as Kyverno or OPA to prevent using the BeyondTrust provider and/or validate the (Cluster)SecretStore, ensuring the namespace may only be set when using a ClusterSecretStore (GitHub Advisory).