3.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-30163

GHSA ID

GHSA-c6pf-2v8j-96mc

EPSS Score

0.08906%

CWE

CWE-863

Published

3/24/2025

Updated

3/24/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30163

CVE-2025-30163: Cilium node based network policies may incorrectly allow workload traffic

Impact

Node based network policies (fromNodes and toNodes) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in fromNodes and toNodes sections of network policies. Node based network policy is disabled by default in Cilium.

Patches

This issue was fixed by https://github.com/cilium/cilium/pull/36657.

This issue affects:

Cilium v1.16 between v1.16.0 and v1.16.7 inclusive
Cilium v1.17 between v1.17.0 and v1.17.1 inclusive

This issue is fixed in:

Cilium v1.16.8
Cilium v1.17.2

Workarounds

Users can work around this issue by ensuring that the labels used in fromNodes and toNodes fields are used exclusively by nodes and not by other endpoints.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @oblazek for reporting and fixing this issue.

For more information

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-30163

CVE-2025-30163:

3.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-30163

GHSA ID

GHSA-c6pf-2v8j-96mc

EPSS Score

0.08906%

CWE

CWE-863

Published

3/24/2025

Updated

3/24/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cilium/cilium	go
Ciliumgithub.com/cilium/cilium	go

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from node-based policies matching any endpoint with specified labels, not just nodes. The fix in PR #36657 explicitly adds a 'reserved:remote-node' matchExpression to node selector logic. The affected functions handling policy rule generation in utils.go were missing this critical label requirement in vulnerable versions, allowing unintended matches. The commit diff shows these functions were modified to add the node identity validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-30163: Cilium node based network policies may incorrectly allow workload traffic

Impact

Patches

Workarounds

Acknowledgements

For more information

CVE-2025-30163:

3.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

3.4

3.4

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-30163: Cilium node based network policies may incorrectly allow workload traffic

Impact

Patches

Workarounds

Acknowledgements

For more information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI