GHSA-pv22-fqcj-7xwh: Inspektor Gadget Security Policies Can be Bypassed

Skip to content

Navigation Menu

• • GitHub Copilot

    Write better code with AI

  • GitHub Advanced Security

    Find and fix vulnerabilities

  • Actions

    Automate any workflow

  • Codespaces

    Instant dev environments

  • Issues

    Plan and track work

  • Code Review

    Manage code changes

  • Discussions

    Collaborate outside of code

  • Code Search

    Find more, search less

• Explore

  • Learning Pathways
  • Events & Webinars
  • Ebooks & Whitepapers
  • Customer Stories
  • Partners
  • Executive Insights

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-pv22-fqcj-7xwh

Inspektor Gadget Security Policies Can be Bypassed

Package

gomod github.com/inspektor-gadget/inspektor-gadget (Go)

Affected versions

>= 0.31.0, < 0.40.0

Description

Security policies like allowed-gadgets, disallow-pulling, verify-image can be bypassed by a malicious client.

Impact

Users running ig in daemon mode or IG on Kubernetes that rely on any of the features mentioned above are vulnerable to this issue. In order to exploit this, the client needs access to the server, like the correct TLS certificates on the ig daemon case or access to the cluster in the Kubernetes case.

Patches

The issue has been fixed in v0.40.0

Workarounds

There is not known workaround to fix it.

References

• GHSA-pv22-fqcj-7xwh
• inspektor-gadget/inspektor-gadget@c51d419

Published to the GitHub Advisory Database

May 6, 2025

EPSS score