BIT-HUBBLE-RELAY-2025-32793 Cilium packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can lea...

BIT-CILIUM-OPERATOR-2025-32793 Cilium packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can lea...

CVE-2025-32793

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can lea...

BIT-HUBBLE-RELAY-2025-30162 East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to...

BIT-CILIUM-2025-30162 East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to...

BIT-CILIUM-2025-30163 Node based network policies may incorrectly allow workload traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies fromNodes and toNodes will incorrectly permit traffic to/from non-node endpoints that share the labels specified in fromNodes and toNodes sections of network policies. Node based...

BIT-CILIUM-OPERATOR-2025-30163 Node based network policies may incorrectly allow workload traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies fromNodes and toNodes will incorrectly permit traffic to/from non-node endpoints that share the labels specified in fromNodes and toNodes sections of network policies. Node based...

CVE-2025-30163

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies fromNodes and toNodes will incorrectly permit traffic to/from non-node endpoints that share the labels specified in fromNodes and toNodes sections of network policies. Node based...

CVE-2025-30163 Node based network policies may incorrectly allow workload traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies fromNodes and toNodes will incorrectly permit traffic to/from non-node endpoints that share the labels specified in fromNodes and toNodes sections of network policies. Node based...

CVE-2025-30163

CVE-2025-30163 affects Cilium’s node-based network policies: policies using fromNodes/toNodes may incorrectly permit traffic to/from non-node endpoints sharing the same labels. Affected versions are Cilium v1.16.0–v1.16.7 and v1.17.0–v1.17.1; the issue is fixed in v1.16.8 and v1.17.2. Root cause:...

CVE-2024-37307

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.0 and prior to versions 1.13.7, 1.14.12, and 1.15.6, the output of cilium-bugtool can contain sensitive data when the tool is run with the --envoy-dump flag set against Cilium...

CVE-2025-23047

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An insecure default Access-Control-Allow-Origin header value could lead to sensitive data exposure for users of Cilium versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4 who...

CVE-2025-23028

Cilium DoS (CVE-2025-23028): A crafted DNS response can crash Cilium agents in clusters proxying DNS traffic, affecting versions 1.14.0–1.14.7, 1.15.0–1.15.11, and 1.16.0–1.16.4. Impact varies by DNS policy: traffic allowed without DNS-based policy continues; DNS-policyed connections may be disru...

CVE-2025-23028 DoS in Cilium agent DNS proxy from crafted DNS responses

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A denial of service vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4. In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an...

CVE-2025-23028 DoS in Cilium agent DNS proxy from crafted DNS responses

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A denial of service vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4. In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an...

CVE-2025-23028 DoS in Cilium agent DNS proxy from crafted DNS responses

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A denial of service vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4. In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an...

BIT-CILIUM-2024-52529 Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range AND 2. A Layer 7 allow policy that selects a specific port within the first policy's range...

CVE-2024-52529

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range AND 2. A Layer 7 allow policy that selects a specific port within the first policy's range...

CVE-2024-52529 Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range AND 2. A Layer 7 allow policy that selects a specific port within the first policy's range...

BIT-CILIUM-2024-47825 CIDR deny policies may not take effect when a more narrow CIDR allow is present

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than /32 may be ignored if there is a policy rule referencing a more narrow prefix CIDRSe...