How severe is GHSA-fcmh-qfxc-w685?

GHSA-fcmh-qfxc-w685 has a CVSS score of 4.1/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-fcmh-qfxc-w685?

GHSA-fcmh-qfxc-w685 affects the following packages: github.com/cloudnativelabs/kube-router/v2 (Go). Ecosystems affected: Go.

How do I fix GHSA-fcmh-qfxc-w685?

No patched version of github.com/cloudnativelabs/kube-router/v2 has shipped for GHSA-fcmh-qfxc-w685 yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.

How do I detect GHSA-fcmh-qfxc-w685 in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/cloudnativelabs/kube-router/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-fcmh-qfxc-w685 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-fcmh-qfxc-w685?

O3 pinpoints whether GHSA-fcmh-qfxc-w685 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-fcmh-qfxc-w685 actively exploited in the wild?

No public exploit code has been indexed for GHSA-fcmh-qfxc-w685 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-fcmh-qfxc-w685 published, and has it been updated?

GHSA-fcmh-qfxc-w685 was published on April 8, 2026 and was last updated on April 8, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-fcmh-qfxc-w685

MEDIUM

kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level

Published

Apr 8, 2026

Updated

Apr 8, 2026

Affected

1 pkg

Patched

None yet

Exploits

None indexed

Blast Radius

1 pkg affected

🐹github.com/cloudnativelabs/kube-router/v2

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

When kube-router is configured with per-node BGP peer passwords using the kube-router.io/peer.passwords node annotation, and verbose logging is enabled (--v=2 or higher), the raw Kubernetes node annotation map is logged verbatim — including the base64-encoded BGP MD5 passwords. Anyone with access to kube-router's logs (via kubectl logs, log aggregation systems, or shared log dumps during debugging) can extract and decode the BGP peer passwords. The official troubleshooting documentation instructs users to collect logs at -v=2 before filing issues, making accidental disclosure during support interactions a realistic scenario.

Details

The vulnerability is at pkg/controllers/routing/network_routes_controller.go:1129:

// pkg/controllers/routing/network_routes_controller.go:1127-1133
// If the global routing peer is configured then peer with it
// else attempt to get peers from node specific BGP annotations.
if len(nrc.globalPeerRouters) == 0 {
    klog.V(2).Infof("Attempting to construct peer configs from annotation: %+v", node.Annotations)
    peerCfgs, err := bgpPeerConfigsFromAnnotations(

node.Annotations is of type map[string]string. This type does not implement fmt.Stringer, so %+v formatting dumps every key-value pair verbatim. When kube-router.io/peer.passwords is set on the node (the documented mechanism for providing per-node BGP MD5 passwords), its base64-encoded value appears in the log output.

The BGP peer password annotation is documented in docs/user-guide.md and has the constant:

// pkg/controllers/routing/network_routes_controller.go:59
peerPasswordAnnotation = "kube-router.io/peer.passwords"

Note that a password-safe String() method exists on PeerConfig and PeerConfigs in pkg/bgp/peer_config.go and is tested:

// pkg/bgp/peer_config.go:63-79
// Custom Stringer to prevent leaking passwords when printed
func (p PeerConfig) String() string {
    // ...password field is intentionally omitted...
}

However, this protective method is never invoked by the vulnerable log statement, which dumps the raw annotation map before any parsing occurs. The password masking only applies after the annotation is parsed into PeerConfig structs.

The second log statement at line 1510 (klog.Infof("Peer config from %s annotation: %+v", peersAnnotation, peerConfigs)) is not vulnerable — peerConfigs is of type bgp.PeerConfigs which implements fmt.Stringer and correctly masks passwords.

The vulnerable path (bgpPeerConfigsFromIndividualAnnotations) is triggered when the kube-router.io/peers consolidated YAML annotation is not set — i.e., when operators use the older individual annotation format (kube-router.io/peer.ips, kube-router.io/peer.asns, kube-router.io/peer.passwords). This older format remains fully supported and documented.

PoC

Setup: Node has per-node BGP peer annotations including a password:

kubectl annotate node worker-1 \
  kube-router.io/peer.ips=192.0.2.1 \
  kube-router.io/peer.asns=65001 \
  "kube-router.io/peer.passwords=$(echo -n 's3cr3t-bgp-p@ss' | base64)"

Trigger: Start kube-router with verbose logging (e.g., following troubleshooting documentation):

# As documented in docs/troubleshoot.md for debugging:
kube-router ... --v=2

Observe: In kube-router pod logs:

I0318 10:23:41.123456 1 network_routes_controller.go:1129] Attempting to construct peer configs from annotation:
map[
  kube-router.io/peer.asns:65001
  kube-router.io/peer.ips:192.0.2.1
  kube-router.io/peer.passwords:czNjcjN0LWJncC1wQHNz   <-- base64-encoded password
  ...other annotations...
]

Decode the password:

echo "czNjcjN0LWJncC1wQHNz" | base64 -d
# Output: s3cr3t-bgp-p@ss

Impact: With the decoded password and network adjacency to the BGP peer, an attacker can establish an unauthorized BGP session, inject routes, or disrupt legitimate BGP peering.

Impact

BGP credential disclosure: BGP MD5 authentication passwords are exposed to anyone with access to kube-router log output
BGP session hijacking: An attacker who obtains the password and has network-level access to a BGP neighbor can impersonate the kube-router node, injecting malicious routes into the BGP table
Log forwarding risk: Log aggregation systems (Fluentd, Loki, Elastic, Splunk) typically have different and often broader access controls than Kubernetes RBAC. Passwords aggregated into these systems may be accessible to personnel without Kubernetes node access
Support workflow exposure: The official troubleshooting documentation recommends collecting --v=2 logs before filing issues, creating a realistic path for passwords to be shared in bug reports or support tickets

Recommended Fix

Remove or redact the vulnerable log statement at line 1129. The diagnostic information it provides (confirming that annotation-based peer configuration is being used) can be conveyed without exposing credential values:

// Before (vulnerable):
klog.V(2).Infof("Attempting to construct peer configs from annotation: %+v", node.Annotations)

// After (safe):
klog.V(2).Infof("Attempting to construct peer configs from per-node annotations (kube-router.io/peer.ips, etc.)")

If full annotation content is needed for debugging (e.g., to show non-sensitive annotations), log a filtered version that explicitly excludes the password annotation:

// Safe alternative that preserves non-sensitive diagnostic info:
safeAnnotations := make(map[string]string)
for k, v := range node.Annotations {
    if k != peerPasswordAnnotation {
        safeAnnotations[k] = v
    }
}
klog.V(2).Infof("Attempting to construct peer configs from annotations: %+v", safeAnnotations)

Affected Packages

1 total

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/cloudnativelabs/kube-router/v2`	≥ 2.7.0	No fix

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/cloudnativelabs/kube-router/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of github.com/cloudnativelabs/kube-router/v2 has shipped for GHSA-fcmh-qfxc-w685 yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-fcmh-qfxc-w685 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-fcmh-qfxc-w685. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary When kube-router is configured with per-node BGP peer passwords using the `kube-router.io/peer.passwords` node annotation, and verbose logging is enabled (`--v=2` or higher), the raw Kubernetes node annotation map is logged verbatim — including the base64-encoded BGP MD5 passwords. Anyone with access to kube-router's logs (via `kubectl logs`, log aggregation systems, or shared log dumps during debugging) can extract and decode the BGP peer passwords. The official troubleshooting documentation instructs users to collect logs at `-v=2` before filing issues, making accidental disclosu

O3 Security · Impact-Aware SCA

Is GHSA-fcmh-qfxc-w685 in your dependencies?

O3 detects GHSA-fcmh-qfxc-w685 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works