CVE-2025-30163 LOW

CVE-2025-30163: Node based network policies may incorrectly allow workload traffic

Vendor Cilium

Product cilium

Weakness CWE-863 · Incorrect authorization

Published March 24, 2025

Last update March 24, 2025

View on NVD All CVEs

CVSS base score

3.4/10

Attack vector Adjacent

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.

Key dates

02Disclosure timeline

March 24, 2025 CVE published

March 24, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-30163

Related vulnerabilities

Identifiers

CVE CVE-2025-30163

CWE CWE-863

CVSS 3.4 / LOW

Affected versions

Vendor Cilium

Product cilium

Affected >= 1.16.0, < 1.16.8

Vendor Cilium

Product cilium

Affected >= 1.17.0, < 1.17.2

CVE-2025-30163: Node based network policies may incorrectly allow workload traffic

01Description

02Disclosure timeline

03References

04Related CVE