GHSA-jv3w-x3r3-g6rm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jv3w-x3r3-g6rm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-jv3w-x3r3-g6rm/GHSA-jv3w-x3r3-g6rm.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-jv3w-x3r3-g6rm
- Aliases
- Downstream
- Related
- Published
- 2025-12-09T17:18:59Z
- Modified
- 2025-12-10T16:03:56.426394Z
- Severity
-
- 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
- Summary
- CNA Plugins Portmap nftables backend can intercept non-local traffic
- Details
-
Background
The CNI
portmapplugin allows containers to emulate opening a host port, forwarding that traffic to the container. For example, if a host has the IP 198.51.100.42, a container may request that all packets to198.51.100.42:53be forwarded to the container's network.Vulnerability
When the
portmapplugin is configured with thenftablesbackend, it inadvertently forwards all traffic with the same destination port as the host port, ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node.In the given example above, traffic destined to port 53 but for a separate container would still be captured and forwarded, even though it was not destined for the host.
Impact
Containers (i.e. kubernetes pods) that request HostPort forwarding can intercept all traffic destined for that port. This requires that the
portmapplugin be explicitly configured to use thenftablesbackend. (Theiptablesbackend is the default.)Patches
This is fixed as of CNI plugins v1.9.0
Workarounds
Configure the
portmapplugin to use theiptablesbackend. It does not have this vulnerability. - Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-200" ], "github_reviewed_at": "2025-12-09T17:18:59Z", "github_reviewed": true, "nvd_published_at": "2025-12-10T00:16:11Z" }- References
-
- https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm
- https://nvd.nist.gov/vuln/detail/CVE-2025-67499
- https://github.com/containernetworking/plugins/pull/1210
- https://github.com/containernetworking/plugins/commit/9b3772e1a7abf93cbb7c6526a28bc0d27b830e02
- https://github.com/containernetworking/plugins
- https://github.com/containernetworking/plugins/releases/tag/v1.9.0
Affected packages
Go / github.com/containernetworking/plugins
Package
- Name
- github.com/containernetworking/plugins
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/containernetworking/plugins