8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54470

GHSA ID

GHSA-qqj3-g7mx-5p4w

EPSS Score

CWE

CWE-295

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54470

CVE-2025-54470: NeuVector telemetry sender is vulnerable to MITM and DoS

Impact

This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server at https://upgrades.neuvector-upgrade-responder.livestock.rancher.io.

In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally, NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which makes it vulnerable to a Denial of Service(DoS) attack.

The patched version includes the following security improvements:

NeuVector now verifies the telemetry server’s TLS certificate chain and hostname during the handshake process. This ensures that all telemetry communications occur over a trusted and verified channel.
NeuVector limits the telemetry server’s response to 256 bytes, mitigating the risk of memory exhaustion and DoS attacks.

These security enhancements are enabled by default and require no user action.

Patches

Patched versions include release v5.4.7 and above.

Workarounds

If you cannot update to a patched version, you can temporarily disable the Report anonymous cluster data, which is enabled by default in NeuVector. To change this setting, go to Settings → Configuration → Report anonymous cluster data in the NeuVector UI.

Disabling this option prevents NeuVector from sending telemetry data to the telemetry server, which helps mitigate this vulnerability.

References

If you have any questions or comments about this advisory:

Reach out to the SUSE Rancher Security team for security related inquiries.
Open an issue in the NeuVector repository.
Verify with our support matrix and product support lifecycle.

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54470

GHSA ID

GHSA-qqj3-g7mx-5p4w

EPSS Score

CWE

CWE-295

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
https://github.com/neuvector/neuvector	go	>= 5.3.0, < 5.3.5	5.3.5
https://github.com/neuvector/neuvector	go	>= 5.4.0, <= 5.4.6	5.4.7
https://github.com/neuvector/neuvector	go	>= 0.0.0-20230727023453-1c4957d53911, < 0.0.0-20251020133207-084a437033b4	0.0.0-20251020133207-084a437033b4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability analysis identified two primary issues in the NeuVector telemetry sender: a Man-in-the-Middle (MITM) vulnerability due to improper TLS certificate validation, and a Denial of Service (DoS) vulnerability due to unbounded memory allocation when reading server responses.

The investigation of the provided patches pinpointed the root causes within the controller/rest/federation.go file. The rest.createHttpClient function was hardcoded to create an insecure HTTP client with InsecureSkipVerify: true. This client was then used by the rest.sendRestReqInternal function for all outgoing requests, including telemetry data transmission.

The rest.sendRestReqInternal function also contained the DoS flaw, as it used ioutil.ReadAll to read the entire response from the telemetry server into memory without any size restrictions. An attacker could exploit this by sending a large response, causing the controller to crash.

The patch addresses these issues by introducing a secure-by-default approach. It modifies rest.createHttpClient to accept a parameter for TLS verification and creates both a secure and an insecure client. The rest.sendRestReqInternal function is updated to use the secure client for telemetry requests and implements io.LimitReader to restrict the response size to 256 bytes, effectively mitigating both the MITM and DoS vulnerabilities.

The function rest.getNvUpgradeInfo in controller/rest/system.go was identified as the trigger for this vulnerable operation, as it initiates the call to the telemetry server.

Vulnerable functions

rest.sendRestReqInternal

controller/rest/federation.go

This function was responsible for sending HTTP requests. For telemetry reports, it used an HTTP client that skipped TLS certificate verification, making the communication vulnerable to Man-in-the-Middle (MITM) attacks. Additionally, it read the entire HTTP response body into memory using `ioutil.ReadAll`, which made it vulnerable to a Denial of Service (DoS) attack if a malicious actor could provide a large response.

rest.createHttpClient

controller/rest/federation.go

This function was responsible for creating the HTTP client. In the vulnerable version, it was hardcoded with `InsecureSkipVerify: true`, which disables TLS certificate verification. This insecure client was then used for telemetry communications, leading to the MITM vulnerability.

rest.getNvUpgradeInfo

controller/rest/system.go

This function initiates the telemetry call that triggers the vulnerable behavior. It calls `sendRestRequest` with the `idTarget` set to "telemetry", which in turn calls the vulnerable `sendRestReqInternal` function. While the vulnerability is not directly in this function, it is a critical part of the execution flow that leads to the exploitation of the vulnerability.

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility *****ts N*uV**tor **ploym*nts only w**n t** `R*port *nonymous *lust*r **t* option` is *n**l**. W**n t*is option is *n**l**, N*uV**tor s*n*s *nonymous t*l*m*try **t* to t** t*l*m*try s*rv*r *t `*ttps://up*r***s.n*uv**tor-

Reasoning

T** vuln*r**ility *n*lysis i**nti*i** two prim*ry issu*s in t** N*uV**tor t*l*m*try s*n**r: * M*n-in-t**-Mi**l* (MITM) vuln*r**ility *u* to improp*r TLS **rti*i**t* v*li**tion, *n* * **ni*l o* S*rvi** (*oS) vuln*r**ility *u* to un*oun*** m*mory *llo*

8.6

Basic Information

Concerned about an active attack path?

CVE-2025-54470: NeuVector telemetry sender is vulnerable to MITM and DoS

Impact

Patches

Workarounds

References

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI