Vulnerability Description
OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running. This issue may lead to Information disclosure. This issue has been patched in version 1.164.0.
Related Weaknesses (CWE)
References
- https://github.com/telstra/open-kilda/commit/1eddb4983a6287d083e3e99a56dc4c291ab
- https://github.com/telstra/open-kilda/pull/5778
- https://github.com/telstra/open-kilda/security/advisories/GHSA-43rg-6r66-6hr7
FAQ
What is CVE-2025-54992?
CVE-2025-54992 is a documented vulnerability. OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows un...
How severe is CVE-2025-54992?
CVSS scoring is not yet available for CVE-2025-54992. Check NVD for updates.
Is there a patch for CVE-2025-54992?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.