CVE-2025-30163 in Cilium
Summary
by MITRE • 03/24/2025
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/07/2025
CVE-2025-30163 represents a critical authorization bypass vulnerability within Cilium's network policy enforcement mechanism that leverages the eBPF-based dataplane architecture. This flaw specifically impacts the node-based network policy functionality where administrators can define traffic rules using `fromNodes` and `toNodes` sections to control communication between cluster nodes. The vulnerability stems from an improper validation mechanism that fails to distinguish between node endpoints and non-node endpoints when evaluating labels specified in these policy sections. When labels used in `fromNodes` and `toNodes` are also assigned to non-node endpoints such as pods or services, the system incorrectly permits traffic flows that should be restricted, effectively creating a bypass of intended network security controls.
The technical implementation of this vulnerability resides in how Cilium processes label-based policy matching within its eBPF dataplane. According to CWE-284 Access Control Bypass, this issue represents a failure in enforcing proper access controls when multiple endpoint types share identical labels. The vulnerability manifests when the policy engine evaluates labels without proper node context verification, allowing non-node endpoints to satisfy node-based policy conditions. This misconfiguration creates a scenario where traffic from a pod or service that happens to share the same labels as a node can bypass intended restrictions, potentially enabling unauthorized network communication between disparate system components. The flaw is particularly concerning as it operates at the network layer where traffic flow decisions are made, potentially allowing lateral movement or data exfiltration attacks.
The operational impact of CVE-2025-30163 extends beyond simple network policy bypass to potentially compromise cluster security boundaries and enable privilege escalation attacks. When node-based policies are enabled, attackers who can manipulate endpoint labels or deploy pods with matching labels could exploit this vulnerability to gain unauthorized access to restricted network segments. This vulnerability directly relates to ATT&CK technique T1046 Network Service Scanning and T1566 Phishing, as it could enable attackers to establish unauthorized network connections that bypass security controls. The risk is amplified in environments where label-based security is heavily relied upon for network segmentation, as the vulnerability effectively neutralizes the security controls implemented through node-based policies. Organizations using Cilium versions between the affected ranges face potential exposure to lateral movement attacks where an attacker could leverage this flaw to traverse network boundaries that should be protected by node-based policies.
The vulnerability affects specific version ranges of Cilium including v1.16.0 through v1.16.7 and v1.17.0 through v1.17.1, making it critical for organizations to assess their deployment environments and implement appropriate mitigations. The recommended fix involves upgrading to Cilium v1.16.8 or v1.17.2 where the label validation mechanism has been corrected to properly distinguish between node and non-node endpoints. A temporary workaround involves ensuring that labels used in `fromNodes` and `toNodes` fields are exclusively assigned to node endpoints, preventing overlap with other endpoint types. This mitigation strategy aligns with security best practices for label management and demonstrates the importance of proper endpoint labeling in containerized environments. Organizations should conduct immediate vulnerability assessments to identify deployments using affected versions and implement the necessary upgrades or workarounds to maintain network security integrity.
This vulnerability highlights the complexity of implementing secure network policies in modern containerized environments where endpoint labeling plays a crucial role in access control decisions. The issue underscores the need for rigorous validation of policy enforcement mechanisms and proper context awareness in security controls. From a compliance perspective, this vulnerability could impact organizations subject to regulatory requirements such as PCI DSS, HIPAA, or ISO 27001, where proper network segmentation and access controls are mandatory. The remediation process should include comprehensive testing of network policies after applying fixes to ensure that legitimate traffic is not inadvertently blocked while maintaining the security controls that were previously compromised by this vulnerability.