CVE-2025-44021

NameCVE-2025-44021
DescriptionOpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-conductor), which may then be written to the target node disk. This is difficult to exploit in practice, because a node deployed in this manner should never reach the ACTIVE state, but it still represents a danger in environments running with non-default, insecure configurations such as with automated cleaning disabled. The fixed versions are 24.1.3, 26.1.1, and 29.0.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1104964

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ironic (PTS)bullseye1:16.0.3-1vulnerable
bookworm1:21.1.0-3vulnerable
forky, sid, trixie1:29.0.0-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ironicsource(unstable)1:29.0.0-61104964

Notes

[bookworm] - ironic <no-dsa> (Minor issue)
[bullseye] - ironic <postponed> (Minor issue)
https://bugs.launchpad.net/ironic/+bug/2107847
https://security.openstack.org/ossa/OSSA-2025-001.html
https://www.openwall.com/lists/oss-security/2025/05/08/1
Search for package or bug name: Reporting problems