Red Hat Openshift Devspaces
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Openshift Devspaces.
By the Year
In 2025 there have been 2 vulnerabilities in Red Hat Openshift Devspaces with an average score of 6.8 out of ten. Last year, in 2024 Openshift Devspaces had 3 security vulnerabilities published. Right now, Openshift Devspaces is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.68
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 2 | 6.75 |
| 2024 | 3 | 7.43 |
It may take a day or so for new Openshift Devspaces vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Openshift Devspaces Security Vulnerabilities
Podman v4.0.0–v5.6.1: kube Play Overwrite Host Files via Symlink Volumes
CVE-2025-9566
8.1 - High
- September 05, 2025
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
Directory traversal
serialize-javascript XSS via unsanitized regex input
CVE-2024-11831
5.4 - Medium
- February 10, 2025
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
XSS
Uninitialized Buffer in Go FIPS OpenSSL May Cause False HMAC Match
CVE-2024-9355
6.5 - Medium
- October 01, 2024
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
Use of Uninitialized Variable
Authenticated Registry Access Path Traversal in containers/image
CVE-2024-3727
8.3 - High
- May 14, 2024
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
Improper Validation of Integrity Check Value
Memory Leak in Go RSA (golang-fips/openssl) Leads to Resource Exhaustion
CVE-2024-1394
7.5 - High
- March 21, 2024
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
Memory Leak
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Openshift Devspaces or by Red Hat? Click the Watch button to subscribe.
