Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by kgateway-dev

    CVE-2025-64323 (GCVE-0-2025-64323)

    Vulnerability from cvelistv5 – Published: 2025-11-07 03:18 – Updated: 2025-11-07 17:50
    VLAI
    Title
    kgateway is missing xDS authorization
    Summary
    kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0.
    Severity
    5.3 (Medium)
    CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    kgateway-dev kgateway Affected: >= 2.1.0-agw-cel-rbac, < 2.1.0
    Affected: < 2.0.5
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64323",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-07T17:49:21.697473Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-07T17:50:53.540Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kgateway",
          "vendor": "kgateway-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.1.0-agw-cel-rbac, \u003c 2.1.0"
            },
            {
              "status": "affected",
              "version": "\u003c 2.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-07T03:18:48.993Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r"
        },
        {
          "name": "https://github.com/kgateway-dev/kgateway/issues/10651",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kgateway-dev/kgateway/issues/10651"
        },
        {
          "name": "https://github.com/kgateway-dev/kgateway/pull/12471",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kgateway-dev/kgateway/pull/12471"
        },
        {
          "name": "https://github.com/kgateway-dev/kgateway/pull/12535",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kgateway-dev/kgateway/pull/12535"
        }
      ],
      "source": {
        "advisory": "GHSA-4766-x535-jw3r",
        "discovery": "UNKNOWN"
      },
      "title": "kgateway is missing xDS authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64323",
    "datePublished": "2025-11-07T03:18:48.993Z",
    "dateReserved": "2025-10-30T17:40:52.027Z",
    "dateUpdated": "2025-11-07T17:50:53.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

    CVE-2025-64323 (GCVE-0-2025-64323)

    Vulnerability from nvd – Published: 2025-11-07 03:18 – Updated: 2025-11-07 17:50
    VLAI
    Title
    kgateway is missing xDS authorization
    Summary
    kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0.
    Severity
    5.3 (Medium)
    CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    kgateway-dev kgateway Affected: >= 2.1.0-agw-cel-rbac, < 2.1.0
    Affected: < 2.0.5
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64323",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-07T17:49:21.697473Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-07T17:50:53.540Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kgateway",
          "vendor": "kgateway-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.1.0-agw-cel-rbac, \u003c 2.1.0"
            },
            {
              "status": "affected",
              "version": "\u003c 2.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-07T03:18:48.993Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r"
        },
        {
          "name": "https://github.com/kgateway-dev/kgateway/issues/10651",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kgateway-dev/kgateway/issues/10651"
        },
        {
          "name": "https://github.com/kgateway-dev/kgateway/pull/12471",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kgateway-dev/kgateway/pull/12471"
        },
        {
          "name": "https://github.com/kgateway-dev/kgateway/pull/12535",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kgateway-dev/kgateway/pull/12535"
        }
      ],
      "source": {
        "advisory": "GHSA-4766-x535-jw3r",
        "discovery": "UNKNOWN"
      },
      "title": "kgateway is missing xDS authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64323",
    "datePublished": "2025-11-07T03:18:48.993Z",
    "dateReserved": "2025-10-30T17:40:52.027Z",
    "dateUpdated": "2025-11-07T17:50:53.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}