CVE-2025-9276 | THREATINT

Description

Cockroach Labs cockroach-k8s-request-cert Empty Root Password Authentication Bypass Vulnerability. This vulnerability could allow remote attackers to bypass authentication on systems that use the affected version of the Cockroach Labs cockroach-k8s-request-cert container image. The specific flaw exists within the configuration of the system shadow file. The issue results from a blank password setting for the root user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-22195.

PUBLISHED Reserved 2025-08-20 | Published 2025-09-02 | Updated 2025-09-03 | Assigner zdi

CRITICAL: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-258: Empty Password in Configuration File

Product status

Default status

unknown

cockroachdb/cockroach-k8s-request-cert:latest

affected

References

www.zerodayinitiative.com/advisories/ZDI-25-855/ (ZDI-25-855)

cve.org (CVE-2025-9276)

nvd.nist.gov (CVE-2025-9276)

Download JSON