cbcvebase.
CVE-2025-13281
published 2025-12-14

CVE-2025-13281: A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This…

PriorityP335medium5.8CVSS 3.1
AVNACHPRHUINSCCHINAN
EPSS
0.36%
27.3th percentile
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).

Affected

17 ranges
VendorProductVersion rangeFixed in
debiankubernetes< kubernetes 1.20.5+really1.20.2-1 (bookworm)kubernetes 1.20.5+really1.20.2-1 (bookworm)
k8s.iokubernetes>= 0 < 1.32.101.32.10
k8s.iokubernetes>= 1.33.0-alpha.0 < 1.33.61.33.6
k8s.iokubernetes>= 1.34.0-alpha.0 < 1.34.21.34.2
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
kuberneteskubernetesv1.30.0 – v1.30.14
kuberneteskubernetesv1.31.0 – v1.31.14
kuberneteskubernetesv1.32.0 – v1.32.9
kuberneteskubernetesv1.33.0 – v1.33.5
kuberneteskubernetesv1.34.0 – v1.34.1
msrcazl3_kubernetes_1.30.10-16_on_azure_linux_3.0
msrcazl3_kubernetes_1.30.10-18_on_azure_linux_3.0
msrccbl2_kubernetes_1.28.4-19_on_cbl_mariner_2.0
msrccbl2_kubernetes_1.28.4-21_on_cbl_mariner_2.0

CVSS provenance

nvdv3.15.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
osv5.8MEDIUM
vendor_debian5.8MEDIUM
vendor_msrc5.8MEDIUM
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.