CVE-2025-54469

A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values.<br /> <br /> <br /> The entry process of the enforcer container is the monitor<br /> process. When the enforcer container stops, the monitor process checks <br /> whether the consul subprocess has exited. To perform this check, the <br /> monitor process uses the popen function to execute a shell command that determines whether the ports used by the consul subprocess are still active.<br /> <br /> <br /> The values of environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT<br /> are used directly to compose shell commands via popen without <br /> validation or sanitization. This behavior could allow a malicious user <br /> to inject malicious commands through these variables within the enforcer<br /> container.