CVE-2025-64715: Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic
CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended.
References
- github.com/advisories/GHSA-38pp-6gcp-rqvm
- github.com/cilium/cilium
- github.com/cilium/cilium/commit/a385856b59c8289cc7273fa3a3062bbf0ef96c97
- github.com/cilium/cilium/releases/tag/v1.16.17
- github.com/cilium/cilium/releases/tag/v1.17.10
- github.com/cilium/cilium/releases/tag/v1.18.4
- github.com/cilium/cilium/security/advisories/GHSA-38pp-6gcp-rqvm
- nvd.nist.gov/vuln/detail/CVE-2025-64715
Code Behaviors & Features
Detect and mitigate CVE-2025-64715 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →