Miggo Logo

GHSA-5pmx-7r6r-wfqq: Kgateway transformation policy template can emit files from the container

3.5

CVSS Score
3.1

Basic Information

CVE ID
-
EPSS Score
-
Published
11/4/2025
Updated
11/4/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/kgateway-dev/kgateway/v2go< 2.0.52.0.5
github.com/kgateway-dev/kgateway/v2go>= 2.1.0-agw-cel-rbac, < 2.1.02.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists within the envoy-gloo dependency, which is a pre-compiled binary consumed by Kgateway. The provided patches for Kgateway only show updates to the version of this dependency. Without access to the source code of the vulnerable envoy-gloo versions, it is not possible to identify the specific vulnerable functions. The vulnerability is related to the transformation policy template feature, which allows for path traversal and arbitrary file reads from the dataplane container. The fix was to update the transformation filter in envoy-gloo to prevent this file access.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry T** tr*ns*orm*tion poli*y t*mpl*t* ***tur* in K**t*w*y v*rsions t*rou** *.*.* *llows us*rs wit* Tr***i*Poli*y *r**tion p*rmissions to *r**t tr*ns*orm*tions t**t r*** *n* *xpos* *r*itr*ry *il*s *rom t** **t*pl*n* *ont*in*r *il*syst*m. ##

Reasoning

T** vuln*r**ility *xists wit*in t** `*nvoy-*loo` **p*n**n*y, w*i** is * pr*-*ompil** *in*ry *onsum** *y K**t*w*y. T** provi*** p*t***s *or K**t*w*y only s*ow up**t*s to t** v*rsion o* t*is **p*n**n*y. Wit*out ****ss to t** sour** *o** o* t** vuln*r**