CVE-2025-30163

March 24, 2025, 7:15 p.m.

3.4
Low

Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.

Product(s) Impacted

Vendor Product Versions
Cilium
  • Cilium
  • 1.16.0-1.16.7, 1.17.0-1.17.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a cilium cilium 1.16.0-1.16.7 / / / / / / /
a cilium cilium 1.17.0-1.17.1 / / / / / / /

References

https://docs.cilium.io/en/stable/security/policy/language/#node-based
https://github.com/cilium/cilium/pull/36657
https://github.com/cilium/cilium/security/advisories/GHSA-c6pf-2v8j-96mc

Tags

security-advisories@github.com
CWE-863
2025-03-24
CVE-2025-30163

CVSS Score

3.4 / 10

CVSS Data - 3.1

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

    View Vector String

Timeline

Published: March 24, 2025, 7:15 p.m.
Last Modified: March 24, 2025, 7:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.