CVE-2025-64323: kgateway is missing xDS authorization
(updated )
The xDS interface in Kgateway versions 2.0.0 through 2.0.4 lacks authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata.
References
- github.com/advisories/GHSA-4766-x535-jw3r
- github.com/kgateway-dev/kgateway
- github.com/kgateway-dev/kgateway/issues/10651
- github.com/kgateway-dev/kgateway/pull/12471
- github.com/kgateway-dev/kgateway/pull/12535
- github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r
- nvd.nist.gov/vuln/detail/CVE-2025-64323
Code Behaviors & Features
Detect and mitigate CVE-2025-64323 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →