Cyber Resilience

CVE-2025-30205

High

Published: 24 March 2025

Published
24 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N
EPSS Score 0.0014 33.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30205 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-30205 is a vulnerability in kanidm-provision, a helper utility that uses Kanidm's API to provision users, groups, and OAuth2 systems. Prior to version 1.2.0, faulty function instrumentation in the optional Kanidm patches provided by kanidm-provision causes provisioned admin credentials to be leaked to the system log. This issue only affects users who both apply these provided patches and provision their `admin` or `idm_admin` account credentials this way; no other credentials are impacted. It is classified as CWE-532 (Insertion of Sensitive Information into Log File) with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N).

The vulnerability can be exploited by an attacker with high privileges (PR:H) on the affected system, where it is network-accessible with low attack complexity and no user interaction required. By triggering the provisioning process under these conditions, the attacker can cause the admin credentials to be written to the system log, allowing them to read and obtain those credentials from the logs. This results in low confidentiality impact from the leak itself but high integrity impact due to potential unauthorized modifications enabled by the stolen credentials, with a changed scope.

The GitHub security advisory (GHSA-57fc-pcqm-53rp) and fixing commit (a102b52e4a79be4263068577ba837f16c3e487a2) recommend recompiling Kanidm with the newest patchset from tag v1.2.0 or higher to mitigate the issue. As a workaround, users can set the `KANIDM_LOG_LEVEL` environment variable to any level higher than `info`, such as `warn`, to prevent the sensitive credentials from being logged.

EU & UK References

Vulnerability details

kanidim-provision is a helper utility that uses kanidm's API to provision users, groups and oauth2 systems. Prior to version 1.2.0, a faulty function intrumentation in the (optional) kanidm patches provided by kandim-provision will cause the provisioned admin credentials to be…

more

leaked to the system log. This only impacts users which both use the provided patches and provision their `admin` or `idm_admin` account credentials this way. No other credentials are affected. Users should recompile kanidm with the newest patchset from tag `v1.2.0` or higher. As a workaround, the user can set the log level `KANIDM_LOG_LEVEL` to any level higher than `info`, for example `warn`.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

The vulnerability directly causes admin credentials to be inserted into the system log file (CWE-532), enabling an attacker to read and obtain them from local files.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24762Shared CWE-532
CVE-2024-7577Shared CWE-532
CVE-2026-34487Shared CWE-532
CVE-2025-1075Shared CWE-532
CVE-2026-27900Shared CWE-532
CVE-2026-23775Shared CWE-532
CVE-2026-25193Shared CWE-532
CVE-2026-44516Shared CWE-532
CVE-2026-44052Shared CWE-532
CVE-2025-11008Shared CWE-532

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the faulty instrumentation in kanidm patches that logs admin credentials.

prevent

Specifies the content of audit records to exclude sensitive information like admin credentials, preventing their insertion into system logs.

prevent

Protects audit information in system logs from unauthorized access by high-privilege attackers seeking leaked credentials.

References