CVE-2025-6193
📋 TL;DR
A command injection vulnerability in TrustyAI Explainability toolkit allows authenticated users with CR deployment permissions to execute arbitrary commands in LMEvalJob pods. This occurs when malicious input is placed in specific fields of LMEvalJob custom resources. Affected users include those with access to deploy custom resources in TrustyAI environments.
💻 Affected Systems
- TrustyAI Explainability toolkit
- trustyai-service-operator
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the LMEvalJob pod leading to lateral movement within the Kubernetes cluster, data exfiltration, or deployment of persistent backdoors.
Likely Case
Unauthorized command execution within the pod, potentially leading to data leakage, service disruption, or privilege escalation within the container.
If Mitigated
Limited impact due to proper RBAC controls, network segmentation, and pod security policies restricting malicious actions.
🎯 Exploit Status
Exploitation requires knowledge of the vulnerable fields and permissions to deploy custom resources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version containing fix from PR #504
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-6193
Restart Required: Yes
Instructions:
1. Update trustyai-service-operator to version containing PR #504 fix. 2. Restart affected pods. 3. Verify no malicious LMEvalJob CRs exist.
🔧 Temporary Workarounds
RBAC Restriction
allRestrict permissions to create/modify LMEvalJob custom resources to only trusted users
kubectl create rolebinding restricted-lmevaljob --role=lmevaljob-readonly --user=trusted-user
Input Validation
allImplement admission webhook to validate LMEvalJob CR fields before deployment
🧯 If You Can't Patch
- Implement strict RBAC controls to limit who can create LMEvalJob custom resources
- Deploy pod security policies to restrict container capabilities and limit impact of successful exploitation
🔍 How to Verify
Check if Vulnerable:
Check if trustyai-service-operator version predates PR #504 fix and if LMEvalJob CRs accept unsanitized input in command fields.Check Version:
kubectl get deployment trustyai-service-operator -o jsonpath='{.spec.template.spec.containers[0].image}'Verify Fix Applied:
Verify trustyai-service-operator version includes PR #504 changes and test that command injection attempts in LMEvalJob fields are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in LMEvalJob pods
- Suspicious processes spawned from trustyai containers
- Failed LMEvalJob deployments with command-like strings
Network Indicators:
- Unexpected outbound connections from trustyai pods
- DNS requests to suspicious domains from LMEvalJob pods
SIEM Query:
source="kubernetes" AND ("LMEvalJob" OR "trustyai") AND (command* OR exec* OR shell*)