Skip to main content

Cni Network Plugins CVE-2025-67499

MEDIUM
Information Exposure (CWE-200)
2025-12-10 security-advisories@github.com GHSA-jv3w-x3r3-g6rm
6.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.6 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.6 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 10, 2025 - 00:16 nvd
MEDIUM 6.6

DescriptionGitHub Advisory

The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability.

AnalysisAI

The CNI portmap plugin versions 1.6.0 through 1.8.0 contain a traffic interception vulnerability when configured with the nftables backend, allowing containers to receive and intercept all traffic destined for their configured HostPort regardless of destination IP address. This affects Linux Foundation's CNI Network Plugins, and an attacker with local privileges and control over a container can intercept traffic intended for other containers or services on the same node. The vulnerability has a published patch available in version 1.9.0, an extremely low EPSS score of 0.02% indicates minimal real-world exploitation likelihood, and there is no indication of active exploitation in the wild.

Technical ContextAI

The Container Networking Interface (CNI) portmap plugin is a network plugin that enables containers to request host port forwarding, mapping a port on the host to a port within the container. The vulnerability exists specifically in the nftables backend implementation (an alternative to iptables for netfilter packet filtering rules) used to configure these port-forwarding rules. When nftables processes outbound and inbound traffic, the buggy rule configuration matches traffic based solely on the destination port number without also matching on the destination IP address, causing the filter to overmatch and intercept traffic that should transit through the node to other containers. The root cause is classified as CWE-200 (Information Exposure), though the vulnerability also enables traffic interception and potential disruption. The affected product is the Linux Foundation's CNI Network Plugins (cpe:2.3:a:linuxfoundation:cni_network_plugins), which are fundamental to Kubernetes and other container orchestration systems.

RemediationAI

Upgrade CNI Network Plugins to version 1.9.0 or later immediately, following the vendor's release notes at https://github.com/containernetworking/plugins/releases/tag/v1.9.0. If immediate patching is not feasible, reconfigure the portmap plugin to use the iptables backend instead of nftables, which does not exhibit this vulnerability and is the default backend in most deployments. This workaround requires restarting affected containers and may be implemented via CNI configuration files or orchestration platform settings (e.g., kubelet configuration in Kubernetes). Organizations should also audit their CNI configuration to identify if nftables is explicitly enabled and review container network policies to restrict inter-container traffic exposure.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed

Share

CVE-2025-67499 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy