CVE-2025-64715
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-64715, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-29

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended. This issue has been patched in versions 1.16.17, 1.17.10, and 1.18.4. There are no workarounds for this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-29
Last Modified
2025-12-04
Generated
2026-07-06
AI Q&A
2025-11-29
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
cilium cilium to 1.16.17 (exc)
cilium cilium From 1.17.0 (inc) to 1.17.10 (exc)
cilium cilium From 1.18.0 (inc) to 1.18.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-NVD-CWE-noinfo

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Cilium occurs when CiliumNetworkPolicys use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that either do not exist or are not attached to any network interface. In such cases, the policy fails to generate the toCIDRset section, which results in outbound traffic being allowed to more destinations than intended by the policy authors. This means that the intended restrictions on outbound network access may be bypassed, potentially allowing broader outbound access.

Impact Analysis

The impact of this vulnerability is that outbound network traffic may be permitted to more destinations than originally intended by the policy authors. This could lead to unintended exposure of network resources or data, as the security policies meant to restrict outbound access are not properly enforced. This may increase the risk of data leakage or unauthorized communication from affected systems.

Mitigation Strategies

Upgrade Cilium to version 1.16.17, 1.17.10, or 1.18.4 or later, as these versions contain the patch for this vulnerability. There are no workarounds available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64715. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart