Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync() function with unsanitized input derived from environment variables, which can be influenced by an attacker. The variables ${teamID}, ${entitlementsPath}, and ${config.app} are dynamically derived from the environment or application config and passed directly to the shell command without proper escaping or argument separation. This exposes the system to command injection if any of the values contain malicious input. This vulnerability is fixed in 0.31.1.
                
            Metrics
Affected Vendors & Products
References
        History
                    Wed, 16 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Fri, 11 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | 
Thu, 10 Jul 2025 19:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Thu, 10 Jul 2025 18:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync() function with unsanitized input derived from environment variables, which can be influenced by an attacker. The variables ${teamID}, ${entitlementsPath}, and ${config.app} are dynamically derived from the environment or application config and passed directly to the shell command without proper escaping or argument separation. This exposes the system to command injection if any of the values contain malicious input. This vulnerability is fixed in 0.31.1. | |
| Title | Kubernetes Headlamp Allows Arbitrary Command Injection in macOS Process headlamp@codeSign | |
| Weaknesses | CWE-78 CWE-88 | |
| References |  | 
 | 
| Metrics | cvssV3_1 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GitHub_M
Published: 2025-07-10T18:20:21.446Z
Updated: 2025-07-10T19:03:00.522Z
Reserved: 2025-07-02T15:15:11.515Z
Link: CVE-2025-53542
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-07-10T19:02:56.853Z
 NVD
                        NVD
                    Status : Awaiting Analysis
Published: 2025-07-10T19:15:26.497
Modified: 2025-07-15T13:14:49.980
Link: CVE-2025-53542
 Redhat
                        Redhat
                    No data.