CVE-2025-67499
MEDIUM
GHSA-jv3w-x3r3-g6rm
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
3Description
The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability.
Analysis
The CNI portmap plugin versions 1.6.0 through 1.8.0 contain a traffic interception vulnerability when configured with the nftables backend, allowing containers to receive and intercept all traffic destined for their configured HostPort regardless of destination IP address. This affects Linux Foundation's CNI Network Plugins, and an attacker with local privileges and control over a container can intercept traffic intended for other containers or services on the same node. The vulnerability has a published patch available in version 1.9.0, an extremely low EPSS score of 0.02% indicates minimal real-world exploitation likelihood, and there is no indication of active exploitation in the wild.
Technical Context
The Container Networking Interface (CNI) portmap plugin is a network plugin that enables containers to request host port forwarding, mapping a port on the host to a port within the container. The vulnerability exists specifically in the nftables backend implementation (an alternative to iptables for netfilter packet filtering rules) used to configure these port-forwarding rules. When nftables processes outbound and inbound traffic, the buggy rule configuration matches traffic based solely on the destination port number without also matching on the destination IP address, causing the filter to overmatch and intercept traffic that should transit through the node to other containers. The root cause is classified as CWE-200 (Information Exposure), though the vulnerability also enables traffic interception and potential disruption. The affected product is the Linux Foundation's CNI Network Plugins (cpe:2.3:a:linuxfoundation:cni_network_plugins), which are fundamental to Kubernetes and other container orchestration systems.
Affected Products
Linux Foundation CNI Network Plugins versions 1.6.0 through 1.8.0 are affected when explicitly configured to use the nftables backend for the portmap plugin. The vulnerability is confirmed via CPE cpe:2.3:a:linuxfoundation:cni_network_plugins:*:*:*:*:*:*:*:*. The fix is available in version 1.9.0 and later. Affected users should consult the official GitHub security advisory at https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm and the release notes at https://github.com/containernetworking/plugins/releases/tag/v1.9.0 for comprehensive patch details and migration guidance.
Remediation
Upgrade CNI Network Plugins to version 1.9.0 or later immediately, following the vendor's release notes at https://github.com/containernetworking/plugins/releases/tag/v1.9.0. If immediate patching is not feasible, reconfigure the portmap plugin to use the iptables backend instead of nftables, which does not exhibit this vulnerability and is the default backend in most deployments. This workaround requires restarting affected containers and may be implemented via CNI configuration files or orchestration platform settings (e.g., kubelet configuration in Kubernetes). Organizations should also audit their CNI configuration to identify if nftables is explicitly enabled and review container network policies to restrict inter-container traffic exposure.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today