CVE-2025-30205

CVE-2025-30205 is a vulnerability in kanidm-provision, a helper utility that uses Kanidm's API to provision users, groups, and OAuth2 systems. Prior to version 1.2.0, faulty function instrumentation in the optional Kanidm patches provided by kanidm-provision causes provisioned admin credentials to be leaked to the system log. This issue only affects users who both apply these provided patches and provision their `admin` or `idm_admin` account credentials this way; no other credentials are impacted. It is classified as CWE-532 (Insertion of Sensitive Information into Log File) with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N).

The vulnerability can be exploited by an attacker with high privileges (PR:H) on the affected system, where it is network-accessible with low attack complexity and no user interaction required. By triggering the provisioning process under these conditions, the attacker can cause the admin credentials to be written to the system log, allowing them to read and obtain those credentials from the logs. This results in low confidentiality impact from the leak itself but high integrity impact due to potential unauthorized modifications enabled by the stolen credentials, with a changed scope.

The GitHub security advisory (GHSA-57fc-pcqm-53rp) and fixing commit (a102b52e4a79be4263068577ba837f16c3e487a2) recommend recompiling Kanidm with the newest patchset from tag v1.2.0 or higher to mitigate the issue. As a workaround, users can set the `KANIDM_LOG_LEVEL` environment variable to any level higher than `info`, such as `warn`, to prevent the sensitive credentials from being logged.