2354605 – (CVE-2025-30163) CVE-2025-30163 cilium: Node based network policies may incorrectly allow workload traffic

Bug 2354605 (CVE-2025-30163) - CVE-2025-30163 cilium: Node based network policies may incorrectly allow workload traffic

Summary: CVE-2025-30163 cilium: Node based network policies may incorrectly allow work...

Keywords:
Status:	NEW
Alias:	CVE-2025-30163
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2354717 2354718 2354719 2354721 2354722 2354723 2354724 2354725 2354727 2354729 2354730 2354731 2354732 2354733 2354735 2354736 2354737 2354738 2354739 2354742 2354743 2354712 2354713 2354714 2354715 2354716 2354720 2354726 2354728 2354734 2354740 2354741
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-24 19:01 UTC by OSIDB Bzimport
Modified:	2025-03-25 03:50 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-24 19:01:14 UTC

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.

Note You need to log in before you can comment on or make changes to this bug.