CVE-2025-30163

MEDIUM EPSS 9.6%
Published Mar 24, 20251y ago · Modified Jun 17, 20261w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Mar 24, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.

CVSS Details

Base Score
4.7
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector Adjacent
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
9.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 2

VendorProductVersionRange
ciliumcilium*≥1.16.0  –  <1.16.8
ciliumcilium*≥1.17.0  –  <1.17.2

References 3

  • docs.cilium.io https://docs.cilium.io/en/stable/security/policy/language/#node-based
    Product
  • github.com https://github.com/cilium/cilium/pull/36657
    Patch
  • github.com https://github.com/cilium/cilium/security/advisories/GHSA-c6pf-2v8j-96mc
    MitigationPatchThird Party Advisory

Remediation

  • github.com https://github.com/cilium/cilium/pull/36657
    Patch
  • github.com https://github.com/cilium/cilium/security/advisories/GHSA-c6pf-2v8j-96mc
    MitigationPatchThird Party Advisory