GHSA-q6hv-wcjr-wp8h
kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace
Blast Radius
github.com/kcp-dev/kcpReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the initializingworkspaces virtual workspace to run arbitrary patches on the status field of LogicalCluster objects while the workspace is initializing.
This allows to add or remove any initializers as well as changing the phase of a LogicalCluster (to "Ready" for example).
As this effectively allows to skip certain initializers or the entire initialization phase, potential integrations with external systems such as billing or security could be affected. Their initializers could be skipped by a WorkspaceType that adds another initializer and grants permissions to the virtual workspace to a rogue or compromised entity.
Who is impacted?
- Impacts other owners of
WorkspaceTypeswith initializers that are inherited by otherWorkspaceTypes. - Impacts developers using the
virtual/frameworkpackage to create their own virtualworkspaces if they are using UpdateFuncs in their custom storageWrappers.
Details
The issue occurs because the rest.ValidateObjectUpdateFunc is not being called within the DefaultDynamicDelegatedStoreFuncs. As a result, the intended status overwrite protection from initializers never gets called, allowing arbitrary logicalcluster status patches.
Patches
The problem has been patched in #3599 and is available in kcp 0.28.3 and higher.
Workarounds
- Further limit access to the
initializeverb onWorkspaceTypeobjects (see documentation for details). - Only use trusted
WorkspaceTypeobjects.
References
See the pull request (#3599).
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/kcp-dev/kcp | all versions | 0.28.3 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/kcp-dev/kcp. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/kcp-dev/kcp to 0.28.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-q6hv-wcjr-wp8h is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-q6hv-wcjr-wp8h is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-q6hv-wcjr-wp8h. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-q6hv-wcjr-wp8h in your dependencies?
O3 detects GHSA-q6hv-wcjr-wp8h across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.