Miggo Logo
Miggo Vulnerability Database
CVE-2025-64323

CVE-2025-64323: kgateway is missing xDS authorization

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-64323
GHSA ID
GHSA-4766-x535-jw3r
EPSS Score
-
CWE
CWE-862
Published
11/4/2025
Updated
11/4/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/kgateway-dev/kgateway/v2go>= 2.1.0-agw-cel-rbac, < 2.1.02.1.0
github.com/kgateway-dev/kgateway/v2go< 2.0.52.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the absence of an authentication mechanism on the xDS gRPC server in Kgateway. This allowed any client with network access to connect and retrieve sensitive configuration data. The analysis of the patches reveals that the fix involves adding a JWT-based authentication layer.

The core of the vulnerability is in how the xDS server was created and how it handled incoming requests. The function setup.NewControlPlane was responsible for setting up the gRPC server. In its vulnerable state, it did not configure any authentication interceptors, leaving the xDS services exposed.

Requests were handled by krtcollections.(*callbacks).OnStreamRequest, which processed the discovery requests. This function trusted client-provided metadata (the 'role' field) to identify the client, which is insecure. An attacker could simply set this field to impersonate a privileged client.

The patch introduces new authentication logic in internal/kgateway/setup/authn.go, including the KubeJWTAuthenticator and authenticationManager. The setup.NewControlPlane function was updated to use this new authentication mechanism via a gRPC stream interceptor. The (*callbacks).OnStreamRequest function was also modified to use the authenticated peer information from the context instead of relying on unverified client metadata.

Therefore, the vulnerable functions are the ones that previously created the insecure server and processed the unauthenticated requests. The newly added functions in authn.go are part of the mitigation.

Vulnerable functions

krtcollections.(*callbacks).OnStreamRequest
internal/kgateway/krtcollections/uniqueclients.go
This function processes incoming xDS discovery requests. Prior to the patch, it determined the client's identity and permissions based on the 'role' field within the node metadata provided by the client in the request. Since this metadata was not verified, a malicious client could set this field to any value, impersonate a privileged client, and gain access to sensitive xDS configuration data. The patch modifies this function to use peer information derived from a validated JWT token instead of the unauthenticated node metadata.
setup.NewControlPlane
internal/kgateway/setup/controlplane.go
This function is responsible for initializing and configuring the gRPC server that hosts the xDS services. The vulnerable version of this function created a gRPC server without any authentication mechanism. The patch introduces parameters for authenticators and an authentication flag (`xdsAuth`) and uses them to configure a new gRPC stream interceptor that performs JWT-based authentication on incoming requests. The absence of this interceptor in the vulnerable version is what allowed unauthenticated access.
setup.(*authenticationManager).authenticate
internal/kgateway/setup/authn.go
This function was added as part of the fix to handle the authentication logic. It iterates through a list of authenticators to validate the client's credentials. The vulnerability existed because of the absence of such an authentication-managing function. Its introduction is a direct mitigation of the vulnerability.
setup.(*KubeJWTAuthenticator).Authenticate
internal/kgateway/setup/authn.go
This function, and the `KubeJWTAuthenticator` struct it belongs to, were added to implement the JWT-based authentication. It extracts and validates the Kubernetes JWT token from the request. The vulnerability was due to the complete lack of this authentication mechanism, which this new function provides.

WAF Protection Rules

WAF Rule

## Summ*ry T** x*S int*r**** in K**t*w*y v*rsions *.*.* t*rou** *.*.* l**ks *ut**nti**tion, *llowin* *ny *li*nt wit* unr*stri*t** n*twork ****ss to t** x*S port to r*tri*v* pot*nti*lly s*nsitiv* *on*i*ur*tion **t* in*lu*in* **rti*i**t* **t*, ***k*n*

Reasoning

T** vuln*r**ility li*s in t** **s*n** o* *n *ut**nti**tion m****nism on t** x*S *RP* s*rv*r in K**t*w*y. T*is *llow** *ny *li*nt wit* n*twork ****ss to *onn**t *n* r*tri*v* s*nsitiv* *on*i*ur*tion **t*. T** *n*lysis o* t** p*t***s r*v**ls t**t t** *i