CVE-2025-32793
MEDIUM4.0EPSS 0.01%Cilium packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters
Published: 4/21/2025Modified: 5/20/2025
Also known as:GHSA-5vxx-c285-pcq4BIT-cilium-2025-32793BIT-cilium-operator-2025-32793BIT-hubble-relay-2025-32793CGA-34g5-vr79-8947GO-2025-3635
Description
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium. This issue has been patched in versions 1.15.16, 1.16.9, and 1.17.3. There are no workarounds available for this issue.
Affected packages (5)
- Bitnami/cilium>= 1.13.0, < 1.17.3
- Bitnami/cilium-operator>= 1.13.0, < 1.17.3
- Bitnami/hubble-relay>= 1.13.0, < 1.17.3
- Go/github.com/cilium/cilium>= 1.13.0, < 1.15.16
- Go/github.com/cilium/cilium>= 1.13.0, < 1.15.16, >= 1.16.0, < 1.16.9, >= 1.17.0, < 1.17.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |