CVE-2025-64715
BaseFortify
Publication date: 2025-11-29
Last updated on: 2025-12-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cilium | cilium | to 1.16.17 (exc) |
| cilium | cilium | From 1.17.0 (inc) to 1.17.10 (exc) |
| cilium | cilium | From 1.18.0 (inc) to 1.18.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Cilium occurs when CiliumNetworkPolicys use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that either do not exist or are not attached to any network interface. In such cases, the policy fails to generate the toCIDRset section, which results in outbound traffic being allowed to more destinations than intended by the policy authors. This means that the intended restrictions on outbound network access may be bypassed, potentially allowing broader outbound access.
How can this vulnerability impact me? :
The impact of this vulnerability is that outbound network traffic may be permitted to more destinations than originally intended by the policy authors. This could lead to unintended exposure of network resources or data, as the security policies meant to restrict outbound access are not properly enforced. This may increase the risk of data leakage or unauthorized communication from affected systems.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Cilium to version 1.16.17, 1.17.10, or 1.18.4 or later, as these versions contain the patch for this vulnerability. There are no workarounds available.