CVE-2025-67499
Last modified
CVE-2025-67499 is a low-severity vulnerability rated 3.6/10 on the CVSS scale. The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. EPSS estimates a 0.12% chance of exploitation in the next 30 days.
Description
The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability.
Metrics
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Cni Network Plugins | >= 1.6.0, < 1.9.0 |
References
- https://github.com/containernetworking/plugins/pull/1210Issue Tracking, Patch
- https://github.com/containernetworking/plugins/releases/tag/v1.9.0Product, Release Notes
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-67499?
How severe is CVE-2025-67499?
How do I fix CVE-2025-67499?
Are you affected by CVE-2025-67499?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST