CVE-2025-24375 - Critical Credential Disclosure in Charmed MySQL K8s Operator

A recent vulnerability tracked as CVE-2025-24375 was discovered in the Charmed MySQL Kubernetes (K8s) Operator, which is a popular Charmed Operator for managing MySQL clusters on Kubernetes. Versions before revision 221 (for K8s) and before revision 338 (for machine-based deployments) are affected. This post explains the issue, how it can be exploited, and what you can do about it.

What Went Wrong?

The MySQL K8s Operator simplifies MySQL cluster management, but to do its job, it sometimes needs to run MySQL shell scripts or DDL (Data Definition Language) SQL statements. To coordinate that, it uses temporary files to store scripts and connection URIs, which include usernames and passwords.

The problem? These temporary files are being created with world-readable permissions (x644), making it possible for any user with access to the operator pod—or even an unprivileged user—to read these files while they exist. Sometimes, these files contain full MySQL connection URIs or, in other cases, actual DDL statements embedding new user credentials in plaintext.

Script Files Are Written Insecurely

Whether calling a Python-based *mysql-shell* script or when creating operator users through the *mysql CLI*, the operator writes sensitive information into files.

File Permissions Are Too Loose

Files are created with x644 permissions (user read/write, group read, others read).

Attack Window

While the operator is running, any user able to access the pod/host filesystem can read these files, capturing sensitive usernames and passwords.

Here's a simplified code snippet to show the crux of the issue

import tempfile
import os

def call_mysql_shell(conn_uri, script_content):
    # BAD: Creates a file with default permissions (x644)
    with tempfile.NamedTemporaryFile('w', delete=False) as tmp_sql:
        # Writing sensitive information
        tmp_sql.write(f"# Connection: {conn_uri}\n")
        tmp_sql.write(script_content)
        tmp_path = tmp_sql.name

    # ... later, code executes the script ...

    # File exists on disk with credentials until manually deleted!
    os.remove(tmp_path)

*In this example, conn_uri will include the MySQL username and password, which ends up in a file readable by anyone with filesystem access.*

`

# Connection: mysql://admin:SuperSecretPassword@mysql-db.local:3306/

Links to Original References

- Ubuntu Security Notice USN-6789-1
- Charmed MySQL K8s Operator GitHub
- Official CVE Record
- Charmed Operator Documentation

How to Exploit CVE-2025-24375

*Note: This is for educational and defensive purposes only!*

Assuming you have shell access to the affected operator pod or host

# List all relevant temp files (example based on file naming pattern)
ls -l /tmp | grep sql

# Read contents for credentials
cat /tmp/tmp4gy_jm8_.sql

If files exist and are created with loose permissions, you have immediate credential disclosure.


## How to Fix / Mitigate

Restrict User Access

- Ensure only the operator process can access the pod/host file system

Conclusion

CVE-2025-24375 is a critical bug caused by insecure temporary file handling in MySQL Charmed Operator for Kubernetes and legacy machine operators. By upgrading to the latest revisions, you protect your database users' passwords from leakage and prevent attackers from gaining a foothold.

Stay Secure. Always review operator privileges and keep your software updated.

© 2024 — This post is an original technical write-up based on publicly disclosed vulnerability information and source code investigation. For official details, visit the Charmed MySQL Operator GitHub.

Timeline

Published on: 04/09/2025 23:15:37 UTC
Last modified on: 04/11/2025 15:40:10 UTC