CVE-2025-30162

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.

CVSS v3 3.2 LOW

3.2^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.4 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://docs.cilium.io/en/stable/network/lb-ipam	Product
https://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj	Patch Third Party Advisory Mitigation
https://github.com/cilium/proxy/pull/1172	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cilium:cilium::::::::
	cpe:2.3:a:cilium:cilium::::::::
	cpe:2.3:a:cilium:cilium::::::::

History

04 Sep 2025, 15:50

Type	Values Removed	Values Added
References	~~() https://docs.cilium.io/en/stable/network/lb-ipam -~~	() https://docs.cilium.io/en/stable/network/lb-ipam - Product
References	~~() https://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj -~~	() https://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj - Patch, Third Party Advisory, Mitigation
References	~~() https://github.com/cilium/proxy/pull/1172 -~~	() https://github.com/cilium/proxy/pull/1172 - Patch
CPE		cpe:2.3:a:cilium:cilium::::::::
First Time		Cilium cilium Cilium

27 Mar 2025, 16:45

Type	Values Removed	Values Added
Summary		(es) Cilium es una solución de redes, observabilidad y seguridad con un plano de datos basado en eBPF. Para los usuarios de Cilium que utilizan la API de Gateway para Ingress en algunos servicios y LB-IPAM o BGP para la implementación del servicio LB, y que utilizan políticas de red para bloquear el tráfico de salida de cargas de trabajo en un espacio de nombres a cargas de trabajo en otros espacios de nombres, se permitirá incorrectamente el tráfico de salida de cargas de trabajo cubiertas por dichas políticas de red a los balanceadores de carga configurados por recursos de "Gateway". Los recursos de balanceadores de carga que no se implementan mediante una configuración de la API de Gateway no se ven afectados por este problema. Este problema afecta a: Cilium v1.15 entre v1.15.0 y v1.15.14 inclusive, v1.16 entre v1.16.0 y v1.16.7 inclusive, y v1.17 entre v1.17.0 y v1.17.1 inclusive. Este problema se ha corregido en Cilium v1.15.15, v1.16.8 y v1.17.2. Se puede utilizar una política de red Cilium para todo el clúster para solucionar este problema para los usuarios que no pueden actualizar.

24 Mar 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-24 19:15

Updated : 2025-09-04 15:50

NVD link : CVE-2025-30162

Mitre link : CVE-2025-30162

CVE.ORG link : CVE-2025-30162

JSON object : View

Products Affected

cilium

cilium

CWE

CWE-863

Incorrect Authorization

3.2 /10