U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2025-62714 Detail

Description

Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/service) did not enforce authentication, allowing unauthenticated users to access sensitive cluster information such as Secrets and Services directly. Although the web UI required a valid JWT for access, the API itself remained exposed to direct requests without any authentication checks. Any user or entity with network access to the Karmada Dashboard service could exploit this vulnerability to retrieve sensitive data.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

Nist CVSS score does not match with CNA score
CNA:  GitHub, Inc.
CVSS-B 8.7 HIGH
Vector:  CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://github.com/karmada-io/dashboard/commit/8457b8bb87725e2371a638ca5a255fd2895c70f1 GitHub, Inc.
https://github.com/karmada-io/dashboard/commit/d2d04909f25e96b4c20fa6b636c398bd1636ee06 GitHub, Inc.
https://github.com/karmada-io/dashboard/pull/271 GitHub, Inc.
https://github.com/karmada-io/dashboard/pull/280 GitHub, Inc.
https://github.com/karmada-io/dashboard/releases/tag/v0.2.0 GitHub, Inc.
https://github.com/karmada-io/dashboard/security/advisories/GHSA-5qjg-9mjh-4r92 GitHub, Inc.

Weakness Enumeration

CWE-ID CWE Name Source
CWE-862 Missing Authorization GitHub, Inc.  

Change History

1 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2025-62714
NVD Published Date:
10/24/2025
NVD Last Modified:
10/24/2025
Source:
GitHub, Inc.