Vulnerability Description
Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/service) did not enforce authentication, allowing unauthenticated users to access sensitive cluster information such as Secrets and Services directly. Although the web UI required a valid JWT for access, the API itself remained exposed to direct requests without any authentication checks. Any user or entity with network access to the Karmada Dashboard service could exploit this vulnerability to retrieve sensitive data.
Related Weaknesses (CWE)
References
- https://github.com/karmada-io/dashboard/commit/8457b8bb87725e2371a638ca5a255fd28
- https://github.com/karmada-io/dashboard/commit/d2d04909f25e96b4c20fa6b636c398bd1
- https://github.com/karmada-io/dashboard/pull/271
- https://github.com/karmada-io/dashboard/pull/280
- https://github.com/karmada-io/dashboard/releases/tag/v0.2.0
- https://github.com/karmada-io/dashboard/security/advisories/GHSA-5qjg-9mjh-4r92
FAQ
What is CVE-2025-62714?
CVE-2025-62714 is a documented vulnerability. Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the ...
How severe is CVE-2025-62714?
CVSS scoring is not yet available for CVE-2025-62714. Check NVD for updates.
Is there a patch for CVE-2025-62714?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.