CVE-2025-67499
BaseFortify
Publication date: 2025-12-10
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | cni_network_plugins | From 1.6.0 (inc) to 1.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability occurs in the CNI portmap plugin versions 1.6.0 through 1.8.0 when configured with the nftables backend. The plugin forwards all traffic with the same destination port as the host port, ignoring the destination IP. This means containers requesting HostPort forwarding can intercept all traffic destined for that port, including traffic not intended for the node itself, such as traffic to other containers on the node. The issue is fixed in version 1.9.0, and a workaround is to use the iptables backend instead of nftables.
How can this vulnerability impact me? :
This vulnerability can allow a container to intercept all network traffic destined for a specific port on the host, including traffic meant for other containers on the same node. This could lead to unauthorized access to data, potential information leakage, and disruption of services running in other containers. It may also allow an attacker with limited privileges to escalate their access by capturing or manipulating network traffic.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should configure the portmap plugin to use the iptables backend instead of the nftables backend, as the iptables backend does not have this vulnerability. Additionally, upgrading the portmap plugin to version 1.9.0 or later will fix the issue.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you should verify if your CNI portmap plugin is configured to use the nftables backend in versions 1.6.0 through 1.8.0. Since the vulnerability involves nftables rules forwarding all traffic on a host port regardless of destination IP, you can inspect nftables rules related to port forwarding. Suggested commands include: 1) Check the version of the CNI plugins installed to confirm if it is vulnerable (between 1.6.0 and 1.8.0). 2) List nftables rules with `sudo nft list ruleset` and look for chains named `hostip_hostports`, `hostports`, or `hostports_all` that handle port forwarding. 3) Verify if the portmap plugin is using the nftables backend rather than iptables. 4) Monitor network traffic on the host port to see if traffic destined for other containers is being forwarded unexpectedly. Since the vulnerability is specific to the nftables backend configuration, confirming the backend and inspecting nftables rules is key. Upgrading to version 1.9.0 or switching to the iptables backend mitigates the issue. [2, 3]