Fedora Account System
Red Hat Associate
Red Hat Customer
A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. The function getTargetInterfaceIP (pkg/virt-api/rest/dialers.go) returns vmi.Status.Interfaces[0].IP without validation, which is then passed to net.Dial(). For VMIs using non-masquerade bindings (bridge or secondary-only), this IP is reported by the QEMU guest agent inside the VM and is fully controllable by the VM owner. A tenant with kubevirt.io:edit permissions can create a VM with a modified guest agent reporting an arbitrary IP, then request port-forward to establish a bidirectional TCP tunnel from virt-api's cluster-internal network position to any routable destination. The default masquerade binding uses the cluster-assigned pod IP and is NOT affected.