GHSA-JV3W-X3R3-G6RM

Vulnerability from github – Published: 2025-12-09 17:18 – Updated: 2026-03-24 21:05
VLAI
Summary
CNA Plugins Portmap nftables backend can intercept non-local traffic
Details

Background

The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. For example, if a host has the IP 198.51.100.42, a container may request that all packets to 198.51.100.42:53 be forwarded to the container's network.

Vulnerability

When the portmap plugin is configured with the nftables backend, it inadvertently forwards all traffic with the same destination port as the host port, ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node.

In the given example above, traffic destined to port 53 but for a separate container would still be captured and forwarded, even though it was not destined for the host.

Impact

Containers (i.e. kubernetes pods) that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. (The iptables backend is the default.)

Patches

This is fixed as of CNI plugins v1.9.0

Workarounds

Configure the portmap plugin to use the iptables backend. It does not have this vulnerability.

Severity
6.6 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containernetworking/plugins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67499"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-09T17:18:59Z",
    "nvd_published_at": "2025-12-10T00:16:11Z",
    "severity": "MODERATE"
  },
  "details": "### Background\n\nThe CNI `portmap` plugin allows containers to emulate opening a host port, forwarding that traffic to the container. For example, if a host has the IP 198.51.100.42, a container may request that all packets to `198.51.100.42:53` be forwarded to the container\u0027s network.\n\n### Vulnerability\n\nWhen the `portmap` plugin is configured with the `nftables` backend, it inadvertently forwards all traffic with the same destination port as the host port, **ignoring the destination IP**. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node.\n\nIn the given example above, traffic destined to port 53 but for a _separate container_ would still be captured and forwarded, even though it was not destined for the host.\n\n### Impact\n\nContainers (i.e. kubernetes pods) that request HostPort forwarding can intercept all traffic destined for that port. This requires that the `portmap` plugin be explicitly configured to use the `nftables` backend. (The `iptables` backend is the default.)\n\n### Patches\nThis is fixed as of CNI plugins v1.9.0\n\n### Workarounds\nConfigure the `portmap` plugin to use the `iptables` backend. It does not have this vulnerability.",
  "id": "GHSA-jv3w-x3r3-g6rm",
  "modified": "2026-03-24T21:05:28Z",
  "published": "2025-12-09T17:18:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67499"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containernetworking/plugins/pull/1210"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containernetworking/plugins/commit/9b3772e1a7abf93cbb7c6526a28bc0d27b830e02"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containernetworking/plugins"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containernetworking/plugins/releases/tag/v1.9.0"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4222"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CNA Plugins Portmap nftables backend can intercept non-local traffic"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.