Vulnerability Database

309,539

Total vulnerabilities in the database

Inspektor Gadget Security Policies Can be Bypassed

Security policies like allowed-gadgets, disallow-pulling, verify-image can be bypassed by a malicious client.

Impact

Users running ig in daemon mode or IG on Kubernetes that rely on any of the features mentioned above are vulnerable to this issue. In order to exploit this, the client needs access to the server, like the correct TLS certificates on the ig daemon case or access to the cluster in the Kubernetes case.

Patches

The issue has been fixed in v0.40.0

Workarounds

There is not known workaround to fix it.

Published: May 6, 2025
Updated: May 6, 2025
GHSA: GHSA-pv22-fqcj-7xwh
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H

CWEs:

CWE-285

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
github.com/inspektor-gadget/inspektor-gadget	0.31.0	0.40.0

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo