Vulnerability Description
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cilium | Cilium | >= 1.16.0, < 1.16.8 |
Related Weaknesses (CWE)
References
- https://docs.cilium.io/en/stable/security/policy/language/#node-basedProduct
- https://github.com/cilium/cilium/pull/36657Patch
- https://github.com/cilium/cilium/security/advisories/GHSA-c6pf-2v8j-96mcMitigationPatchThird Party Advisory
FAQ
What is CVE-2025-30163?
CVE-2025-30163 is a vulnerability with a CVSS score of 3.4 (LOW). Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endp...
How severe is CVE-2025-30163?
CVE-2025-30163 has been rated LOW with a CVSS base score of 3.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-30163?
Check the references section above for vendor advisories and patch information. Affected products include: Cilium Cilium.