CVE-2025-13281
published 2025-12-14CVE-2025-13281: A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This…
PriorityP335medium5.8CVSS 3.1
AVNACHPRHUINSCCHINAN
EPSS
0.36%
27.3th percentile
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | >= 0 < 1.32.10 | 1.32.10 |
| k8s.io | kubernetes | >= 1.33.0-alpha.0 < 1.33.6 | 1.33.6 |
| k8s.io | kubernetes | >= 1.34.0-alpha.0 < 1.34.2 | 1.34.2 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | v1.30.0 – v1.30.14 | — |
| kubernetes | kubernetes | v1.31.0 – v1.31.14 | — |
| kubernetes | kubernetes | v1.32.0 – v1.32.9 | — |
| kubernetes | kubernetes | v1.33.0 – v1.33.5 | — |
| kubernetes | kubernetes | v1.34.0 – v1.34.1 | — |
| msrc | azl3_kubernetes_1.30.10-16_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-18_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-19_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-21_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
osv5.8MEDIUM
vendor_debian5.8MEDIUM
vendor_msrc5.8MEDIUM
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Half-blind Server Side Request Forgery in kube-controller-manager through in-tree Portworx StorageClass in k8s.io/kubernetes
osv·2025-12-16
CVE-2025-13281 Half-blind Server Side Request Forgery in kube-controller-manager through in-tree Portworx StorageClass in k8s.io/kubernetes
Half-blind Server Side Request Forgery in kube-controller-manager through in-tree Portworx StorageClass in k8s.io/kubernetes
Half-blind Server Side Request Forgery in kube-controller-manager through in-tree Portworx StorageClass in k8s.io/kubernetes
OSV
kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass
osv·2025-12-15
CVE-2025-13281 [MEDIUM] kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass
kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
GHSA
kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass
ghsa·2025-12-15
CVE-2025-13281 [MEDIUM] CWE-918 kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass
kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
OSV
CVE-2025-13281: A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass
osv·2025-12-14·CVSS 5.8
CVE-2025-13281 [MEDIUM] CVE-2025-13281: A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
Red Hat
kube-controller-manager: Portworx Half-Blind SSRF in kube-controller-manager
vendor_redhat·2025-12-14·CVSS 5.8
CVE-2025-13281 [MEDIUM] CWE-918 kube-controller-manager: Portworx Half-Blind SSRF in kube-controller-manager
kube-controller-manager: Portworx Half-Blind SSRF in kube-controller-manager
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
A half-blind Server-Side Request Forgery (SSRF) found in kube-controller-manager that can be triggered when using the legacy in-tree Portworx StorageClass. An authorized user with sufficient privileges can cause the controller to make requests to internal, host-network–accessible endpoints, potentially leaking sensitive information from unprotected services.
Statement: This issue is classified
Microsoft
Portworx Half-Blind SSRF in kube-controller-manager
vendor_msrc·2025-12-09·CVSS 5.8
CVE-2025-13281 [MEDIUM] CWE-918 Portworx Half-Blind SSRF in kube-controller-manager
Portworx Half-Blind SSRF in kube-controller-manager
Mariner: Mariner
kubernetes: kubernetes
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Debian
CVE-2025-13281: kubernetes - A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-con...
vendor_debian·2025·CVSS 5.8
CVE-2025-13281 [MEDIUM] CVE-2025-13281: kubernetes - A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-con...
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-13281 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2025-13281 [MEDIUM] CVE-2025-13281 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13281 :
NixOS vulnerability analysis and mitigation
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
Source : NVD
## 5.8
Score
Published December 14, 2025
Severity MEDIUM
CNA Score 5.8
Affected Technologies
NixOS
Kubernetes (Worker Node) - Workload Scan
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
blob-csi-fips-1.24
longhorn-m
Bugzilla
CVE-2025-13281 cri-tools1.30: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
bugzilla·2025-12-15·CVSS 5.8
CVE-2025-13281 [MEDIUM] CVE-2025-13281 cri-tools1.30: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
CVE-2025-13281 cri-tools1.30: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close al
Bugzilla
CVE-2025-13281 kubernetes1.29: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
bugzilla·2025-12-15·CVSS 5.8
CVE-2025-13281 [MEDIUM] CVE-2025-13281 kubernetes1.29: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
CVE-2025-13281 kubernetes1.29: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close a
Bugzilla
CVE-2025-13281 cri-tools1.29: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
bugzilla·2025-12-15·CVSS 5.8
CVE-2025-13281 [MEDIUM] CVE-2025-13281 cri-tools1.29: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
CVE-2025-13281 cri-tools1.29: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close al
Bugzilla
CVE-2025-13281 cri-tools: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
bugzilla·2025-12-15·CVSS 5.8
CVE-2025-13281 [MEDIUM] CVE-2025-13281 cri-tools: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
CVE-2025-13281 cri-tools: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bu
Bugzilla
CVE-2025-13281 kubernetes1.30: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
bugzilla·2025-12-15·CVSS 5.8
CVE-2025-13281 [MEDIUM] CVE-2025-13281 kubernetes1.30: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
CVE-2025-13281 kubernetes1.30: Portworx Half-Blind SSRF in kube-controller-manager [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close a
Bugzilla
CVE-2025-13281 kube-controller-manager: Portworx Half-Blind SSRF in kube-controller-manager
bugzilla·2025-12-14·CVSS 5.8
CVE-2025-13281 [MEDIUM] CVE-2025-13281 kube-controller-manager: Portworx Half-Blind SSRF in kube-controller-manager
CVE-2025-13281 kube-controller-manager: Portworx Half-Blind SSRF in kube-controller-manager
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
2025-12-14
Published