CVE-2025-64715
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-29

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended. This issue has been patched in versions 1.16.17, 1.17.10, and 1.18.4. There are no workarounds for this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-29
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-11-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-64715
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
cilium cilium to 1.16.17 (exc)
cilium cilium From 1.17.0 (inc) to 1.17.10 (exc)
cilium cilium From 1.18.0 (inc) to 1.18.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Cilium occurs when CiliumNetworkPolicys use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that either do not exist or are not attached to any network interface. In such cases, the policy fails to generate the toCIDRset section, which results in outbound traffic being allowed to more destinations than intended by the policy authors. This means that the intended restrictions on outbound network access may be bypassed, potentially allowing broader outbound access.

Impact Analysis

The impact of this vulnerability is that outbound network traffic may be permitted to more destinations than originally intended by the policy authors. This could lead to unintended exposure of network resources or data, as the security policies meant to restrict outbound access are not properly enforced. This may increase the risk of data leakage or unauthorized communication from affected systems.

Mitigation Strategies

Upgrade Cilium to version 1.16.17, 1.17.10, or 1.18.4 or later, as these versions contain the patch for this vulnerability. There are no workarounds available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64715. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart