2420964 – (CVE-2025-14443) CVE-2025-14443 ose-openshift-apiserver: OpenShift API Server: Server-Side Request Forgery (SSRF) vulnerability in ImageStreamImport mechanism

Bug 2420964 (CVE-2025-14443) - CVE-2025-14443 ose-openshift-apiserver: OpenShift API Server: Server-Side Request Forgery (SSRF) vulnerability in ImageStreamImport mechanism

Summary: CVE-2025-14443 ose-openshift-apiserver: OpenShift API Server: Server-Side Req...

Keywords:
Status:	NEW
Alias:	CVE-2025-14443
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-10 13:28 UTC by OSIDB Bzimport
Modified:	2025-12-16 12:06 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-10 13:28:00 UTC

Server-Side Request Forgery (SSRF) vulnerability in the OpenShift API server ImageStreamImport mechanism. The flaw is caused by missing IP address and network-range validation when processing user-supplied image references. During an ImageStreamImport request, the API server constructs outbound HTTP requests to retrieve image manifests without validating whether the resolved destination belongs to loopback, link-local, RFC1918 private networks, or cluster service CIDRs. As a result, an authenticated user with image import permissions can trigger network connections to internal services such as the Kubernetes API server, cloud metadata endpoints, or localhost-only services. This behavior enables internal network enumeration, service discovery, limited information disclosure via HTTP responses, and potential denial-of-service through excessive connection attempts.

Note You need to log in before you can comment on or make changes to this bug.