GHSA-rp4v-hhm6-rcv9
MEDIUMPinniped Supervisor Insufficient Session Expiration vulnerability
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
go.pinniped.devReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.
Access tokens issued by the Pinniped Supervisor have an intended expiration lifetime of approximately two minutes. The Pinniped CLI will automatically use the refresh token, which has a lifetime of approximately nine hours, to request a new access token after the access token's advertised expiration time elapses. Starting in Pinniped version 0.13.0, the Supervisor performs checks during each refresh request against the configured external identity provider to determine if the user should be allowed to continue their session. Thus, the short lifetime of the access token is intended to force users to be subjected to those checks often. For example, if a user's account in the external identity provider became locked, the next refresh would fail, and the user should lose access to the Kubernetes clusters fairly quickly. As another example, if a user's group membership changed in the external identity provider, the new group memberships would be reflected in their sessions with Kubernetes clusters within a fairly short window of time.
Access tokens are cached in a local file by the Pinniped CLI (the kubectl plugin) and are sent back to the Supervisor (via HTTPS) to receive cluster-scoped credentials. Due to a bug in this token exchange, the expiration time of the submitted access token was not checked correctly, causing expired access tokens to continue to be accepted by this endpoint until the user's backend session data is deleted, approximately nine hours after their session started. This bug could allow a legitimate user to avoid the checks performed during refresh by maliciously skipping the refresh step.
Note that the Pinniped CLI performs the refresh operation often, so the refresh checks are still performed often under normal usage of the CLI, despite this bug.
Practical impact to versions before v0.13.0 is minimal, since those versions did not perform checks against the external identity provider during refreshes. In these versions, the user can perform refreshes to get a new access tokens without restriction for approximately nine hours, so the duration of their access is effectively unchanged by this bug.
Patches
The impacted token exchange feature was first introduced in v0.3.0. Versions v0.3.0 to v0.18.0 are effected by this bug.
This vulnerability was found by the maintainers of Pinniped and fixed immediately. The fix was introduced in release v0.19.0.
Workarounds
There are no known workarounds. Upgrading the Supervisor is recommended, especially for users of v0.13.0 or newer.
References
The issue was fixed by PR #1264.
For more information
If you have any questions or comments about this advisory, please reach out to the maintainers using one of the methods described in this repo's README.md.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | go.pinniped.dev | ≥ 0.3.0&&< 0.19.0 | 0.19.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for go.pinniped.dev. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update go.pinniped.dev to 0.19.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-rp4v-hhm6-rcv9 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-rp4v-hhm6-rcv9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-rp4v-hhm6-rcv9. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-rp4v-hhm6-rcv9 in your dependencies?
O3 detects GHSA-rp4v-hhm6-rcv9 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.