privilegedescalation/headlamp-kube-vip-plugin
12
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 8 Wiki Activity
Files
hugh/renovate-auto-merge-pri-414
headlamp-kube-vip-plugin/SECURITY.md
T
privilegedescalation-engineer[bot] 1c5e50ce8c docs(security): document GHSA-848j-6mx2-7j84 elliptic as accepted risk (#59) 
* Add E2E test infrastructure for kube-vip plugin

Scaffolded via e2e-scaffold.sh (proactive improvement).
- playwright.config.ts, e2e/auth.setup.ts, e2e/kube-vip.spec.ts
- scripts/deploy-e2e-headlamp.sh, scripts/teardown-e2e-headlamp.sh
- .github/workflows/e2e.yaml uses reusable workflow
- @playwright/test ^1.58.2 devDep

- PRI-641

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* Fix E2E workflow: use pnpm-capable reusable workflow branch

The reusable plugin-e2e.yaml@main lacks pnpm support. Switching to
the PR branch that has pnpm detector, Corepack setup, and pnpm commands.

Will revert to @main once PR #141 merges.

- PRI-619 E2E fix

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* docs(security): document GHSA-848j-6mx2-7j84 elliptic as accepted risk

* fix(e2e): reference @main workflow after .github merge

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-06 00:44:27 +00:00

2.0 KiB
Raw Permalink Blame History

Security Policy

Supported Versions

Version Supported
latest Yes

Plugin Scope

This plugin is read-only. It does not perform any write operations against the Kubernetes cluster. It reads:

  • Services (type: LoadBalancer)
  • Nodes
  • Pods in kube-system
  • DaemonSets in kube-system
  • Leases in kube-system
  • ConfigMaps in kube-system

All data is fetched through Headlamp's built-in API proxy, which respects the user's existing RBAC permissions.

Reporting a Vulnerability

Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.

Known Low-Severity Vulnerabilities

GHSA-848j-6mx2-7j84 (elliptic)

Severity: High (but not exploitable in this plugin's context)

Affected component: elliptic (transitive, via vite-plugin-node-polyfillsnode-stdlib-browsercrypto-browserifybrowserify-sign)

Description: The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a read-only Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires:

  • Use of elliptic curve operations on untrusted input, AND
  • Ability for an attacker to influence the elliptic curve key generation input

Neither condition is met in this plugin's runtime context.

Remediation: No patched version of elliptic exists on npm. The current override in package.json ("elliptic": ">=6.6.1") is a placeholder — no resolvable version satisfies this constraint.

Risk acceptance rationale:

  1. Plugin has no write operations against the cluster
  2. All data flows through Headlamp's API proxy with standard RBAC enforcement
  3. The vulnerable dependency is only in the development/build toolchain, not runtime
  4. No untrusted input can reach elliptic curve operations through this plugin

Review date: 2026-05-05 Reviewed by: Hugh Hackman (VP Engineering Operations)

Reference in New Issue View Git Blame Copy Permalink