Rancher Security Advisory: Heads up on Rancher CVE-2021-25313

Table of Contents

Please note that this information is under embargo until the release is official and should not be shared with others


Dear Rancher Customer,

This is an advance security notice on the following CVE:

  • CVE-2021-25313 - Rancher - XSS attack on the Rancher API


An issue was discovered in Rancher 2.0 through 2.5.5. When accessing the Rancher API with a browser, the URL was not properly escaped, making it vulnerable to an XSS (Cross-Site Scripting) attack. Specially crafted URLs to these API endpoints could include JavaScript which would be embedded in the page and execute in a browser. There is no direct mitigation. Avoid clicking on untrusted links to your Rancher server.

Am I vulnerable?

You are vulnerable if you are running any Rancher 2 version prior to the patched versions.

How do I mitigate this vulnerability?

There is no direct mitigation, outside of not accessing the API via a JavaScript-enabled browser. Avoid clicking on untrusted links directed at your Rancher server.

We are currently working on providing the fix that will address this vulnerability. We expect to make the following Rancher release next week (week beginning Mon, March 1st) that will include the fix:

  • v2.5.6
  • v2.4.14
  • v2.3.11

Stay tuned. We will update you with a follow-up communication closer to the release.


Simply reply to this email from support@rancher.com and we will track and respond to you as a regular Support Ticket.


Rancher Support Team

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.