CVE-2025-13281
Half-Blind SSRF in kube-controller-manager via Portworx StorageClass
Publication date: 2025-12-14
Last updated on: 2025-12-14
Assigner: Kubernetes
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kubernetes | kube-controller-manager | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a half-blind Server Side Request Forgery (SSRF) in the kube-controller-manager when using the in-tree Portworx StorageClass. It allows authorized users to make the server send requests to internal, unprotected endpoints within the control plane's host network, including link-local or loopback services, potentially leaking arbitrary information.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing authorized users to leak sensitive information from internal endpoints that are normally not accessible externally. This could expose confidential data within the control plane's host network, leading to potential information disclosure risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by analyzing ProvisioningFailed events generated by the kube-controller-manager on affected clusters where the CSIMigrationPortworx feature gate is disabled. These events may contain leaked sensitive information from the control plane's host network. Monitoring these events in your Kubernetes cluster can help identify exploitation attempts. Specific commands to check these events include using kubectl to query events, for example: kubectl get events --field-selector reason=ProvisioningFailed -n <namespace> or kubectl describe events -n <namespace> and filtering for ProvisioningFailed events related to the Portworx StorageClass. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the kube-controller-manager to fixed versions: v1.32.10 or later, v1.33.6 or later, or v1.34.2 or later. Alternatively, if the CSIMigrationPortworx feature gate is manually disabled, enable it to disable the in-tree Portworx StorageClass and mitigate the vulnerability. Additionally, restrict the ability for untrusted users to create pods using the Portworx StorageClass to reduce risk. [1, 2, 3]