CVE-2025-30163 - Vulnerability Details

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

References

Link	Providers
https://docs.cilium.io/en/stable/security/policy/language/#node-based
https://github.com/cilium/cilium/pull/36657
https://github.com/cilium/cilium/security/advisories/GHSA-c6pf-2v8j-96mc
https://nvd.nist.gov/vuln/detail/CVE-2025-30163
https://www.cve.org/CVERecord?id=CVE-2025-30163

History

Wed, 26 Mar 2025 02:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-30163 https://www.cve.org/CVERecord?id=CVE-2025-30163
Metrics	threat_severity `None`	threat_severity `Low`

Mon, 24 Mar 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 24 Mar 2025 19:00:00 +0000

Type	Values Removed	Values Added
Description		Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.
Title		Node based network policies may incorrectly allow workload traffic
Weaknesses		CWE-863
References		https://docs.cilium.io/en/stable/security/policy/language/#node-based https://github.com/cilium/cilium/pull/36657 https://github.com/cilium/cilium/security/advisories/GHSA-c6pf-2v8j-96mc
Metrics		cvssV3_1 `{'score': 3.4, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-03-24T18:46:35.407Z

Updated: 2025-03-24T19:29:46.075Z

Reserved: 2025-03-17T12:41:42.567Z

Link: CVE-2025-30163

Vulnrichment

Updated: 2025-03-24T19:29:42.821Z

NVD

Status : Received

Published: 2025-03-24T19:15:52.937

Modified: 2025-03-24T19:15:52.937

Link: CVE-2025-30163

Redhat

Severity : Low

Publid Date: 2025-03-24T18:46:35Z

Links: CVE-2025-30163 - Bugzilla

Metrics

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object