Kubernetes CSI Driver for NFS Vulnerability Lets Attackers Delete or Modify NFS Server Directories

Home Cyber Security News Kubernetes CSI Driver for NFS Vulnerability Lets Attackers Delete or Modify NFS... Kubernetes CSI Driver NFS Vulnerability A path traversal vulnerability has been identified in the Kubernetes Container Storage Interface (CSI) Driver for NFS, potentially allowing attackers to delete or modify unintended directories on NFS servers. The flaw stems from insufficient validation of the subDir parameter in volume identifiers, exposing clusters that permit users to create PersistentVolumes referencing the NFS CSI driver. The vulnerability resides in how the CSI Driver for NFS handles the subDir parameter during volume operations. Attackers with permission to create PersistentVolumes referencing the nfs.csi.k8s.io driver can craft volume identifiers containing path traversal sequences (../). When the driver processes volume deletion or cleanup operations, it may operate on directories far outside the intended managed path within the NFS export. For example, malicious volumeHandle entries referencing paths such as /tmp/mount-uuid/legitimate/../../../exports/subdir could cause the CSI controller to traverse out of the designated directory scope entirely, triggering unintended modifications or deletions on the NFS server. Kubernetes CSI Driver for NFS Vulnerability Organizations are potentially at risk if they meet all of the following conditions: They run the CSI Driver for NFS (nfs.csi.k8s.io) in their Kubernetes cluster Their cluster allows non-administrator users to create PersistentVolumes referencing the NFS CSI driver Their deployed CSI driver version does not validate traversal sequences in the subDir field All versions of the CSI Driver for NFS prior to v4.13.1 are affected by this vulnerability, as the traversal validation fix was introduced in that release. Administrators can check whether their cluster is exposed by inspecting PersistentVolumes using the NFS CSI driver and reviewing the volumeHandle field for traversal sequences such as ../. Additionally, CSI controller logs should be reviewed for unexpected directory operations. Log entries resembling "Removing subPath: /tmp/mount-uuid/legitimate/../../../exports/subdir" are a strong indicator of exploitation. Clusters showing evidence of active exploitation should be reported immediately to security@kubernetes.io. The primary remediation is upgrading the CSI Driver for NFS to version v4.13.1 or later, which includes proper validation of traversal sequences in the subDir field. As interim measures, administrators should restrict PersistentVolume creation privileges exclusively to trusted users and audit NFS exports to confirm that only intended directories are writable by the driver. As a broader security best practice, untrusted users should never be granted permission to create arbitrary PersistentVolumes referencing external storage drivers. The vulnerability was responsibly disclosed by Shaul Ben Hai, Senior Staff Security Researcher at SentinelOne. The fix was developed and deployed by the CSI Driver for NFS maintainers Andy Zhang and Rita Zhang, in coordination with the Kubernetes Security Response Committee. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News New Windows 11 25H2/24H2 Update Fixes Bluetooth Devices Visibility Issues Cyber Security News Angular XSS Vulnerability Exposes Thousands of web Applications to XSS Attacks Cyber Security News UK’s Companies House WebFiling Flaw Exposed Private Director Data for Five Months Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026