CVE-2025-30162

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.

CVSS v3 3.2 LOW

3.2^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.4 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://docs.cilium.io/en/stable/network/lb-ipam	Product
https://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj	Patch Third Party Advisory Mitigation
https://github.com/cilium/proxy/pull/1172	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cilium:cilium::::::::
	cpe:2.3:a:cilium:cilium::::::::
	cpe:2.3:a:cilium:cilium::::::::

History

No history.

Information

Published : 2025-03-24 19:15

Updated : 2025-09-04 15:50

NVD link : CVE-2025-30162

Mitre link : CVE-2025-30162

CVE.ORG link : CVE-2025-30162

JSON object : View

Products Affected

cilium

cilium

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-30162", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.2, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.4}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.5}]}, "published": "2025-03-24T19:15:52.767", "references": [{"url": "https://docs.cilium.io/en/stable/network/lb-ipam", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj", "tags": ["Patch", "Third Party Advisory", "Mitigation"], "source": "[email protected]"}, {"url": "https://github.com/cilium/proxy/pull/1172", "tags": ["Patch"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade."}, {"lang": "es", "value": "Cilium es una soluci\u00f3n de redes, observabilidad y seguridad con un plano de datos basado en eBPF. Para los usuarios de Cilium que utilizan la API de Gateway para Ingress en algunos servicios y LB-IPAM o BGP para la implementaci\u00f3n del servicio LB, y que utilizan pol\u00edticas de red para bloquear el tr\u00e1fico de salida de cargas de trabajo en un espacio de nombres a cargas de trabajo en otros espacios de nombres, se permitir\u00e1 incorrectamente el tr\u00e1fico de salida de cargas de trabajo cubiertas por dichas pol\u00edticas de red a los balanceadores de carga configurados por recursos de \"Gateway\". Los recursos de balanceadores de carga que no se implementan mediante una configuraci\u00f3n de la API de Gateway no se ven afectados por este problema. Este problema afecta a: Cilium v1.15 entre v1.15.0 y v1.15.14 inclusive, v1.16 entre v1.16.0 y v1.16.7 inclusive, y v1.17 entre v1.17.0 y v1.17.1 inclusive. Este problema se ha corregido en Cilium v1.15.15, v1.16.8 y v1.17.2. Se puede utilizar una pol\u00edtica de red Cilium para todo el cl\u00faster para solucionar este problema para los usuarios que no pueden actualizar."}], "lastModified": "2025-09-04T15:50:57.883", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "462795FE-BC70-4908-B7FD-F9099F7CCD1E", "versionEndExcluding": "1.15.15", "versionStartIncluding": "1.15.0"}, {"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC322837-6976-466C-BC66-07BDDA73CA85", "versionEndExcluding": "1.16.8", "versionStartIncluding": "1.16.0"}, {"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B54F78EA-BDCC-4FFF-841A-58476E72B924", "versionEndExcluding": "1.17.2", "versionStartIncluding": "1.17.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}