GHSA-5vxx-c285-pcq4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5vxx-c285-pcq4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-5vxx-c285-pcq4/GHSA-5vxx-c285-pcq4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-5vxx-c285-pcq4
- Aliases
- Related
- Published
- 2025-04-21T16:17:49Z
- Modified
- 2025-04-23T14:41:18Z
- Severity
-
- 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
- Summary
- In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters
- Details
-
Impact
When using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium.
Patches
This issue has been patched in https://github.com/cilium/cilium/pull/38592.
This issue affects:
- Cilium v1.15 between v1.15.0 and v1.15.15 inclusive
- Cilium v1.16 between v1.16.0 and v1.16.8 inclusive
- Cilium v1.17 between v1.17.0 and v1.17.2 inclusive
This issue is fixed in:
- Cilium v1.15.16
- Cilium v1.16.9
- Cilium v1.17.3
Workarounds
There is no workaround to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @gandro and @pippolo84 for reporting this issue and to @julianwiedmann for the patch.
For more information
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
- Database specific
{ "nvd_published_at": "2025-04-21T16:15:54Z", "cwe_ids": [ "CWE-319", "CWE-362" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-04-21T16:17:49Z" }- References
Affected packages
Go / github.com/cilium/cilium
Package
- Name
- github.com/cilium/cilium
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cilium/cilium
Go / github.com/cilium/cilium
Package
- Name
- github.com/cilium/cilium
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cilium/cilium
Go / github.com/cilium/cilium
Package
- Name
- github.com/cilium/cilium
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cilium/cilium