CVE-2025-67499Sensitive Information Exposure in Containernetworking Plugins

CWE-200Sensitive Information Exposure8 documents6 sources
Severity
3.6LOWNVD
CNA6.6
EPSS
0.0%
top 95.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Containernetworking PluginsLinuxfoundation CNI Network PluginsContainernetworking Plugins
Timeline
PublishedDec 10
Latest updateDec 15

Description

The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic de

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.0 | Impact: 2.5

Affected Packages3 packages

CVEListV5containernetworking/plugins>= 1.6.0, < 1.9.0

Patches

Patch: github.com

🔴Vulnerability Details

5
OSV
CNA Plugins Portmap nftables backend can intercept non-local traffic in github.com/containernetworking/plugins2025-12-15
OSV
CVE-2025-67499: The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container2025-12-10
CVEList
CNI Plugins Portmap nftables backend intercepts non-local traffic2025-12-09
OSV
CNA Plugins Portmap nftables backend can intercept non-local traffic2025-12-09
GHSA
CNA Plugins Portmap nftables backend can intercept non-local traffic2025-12-09

📋Vendor Advisories

1
Red Hat
CNI portmap plugin: github.com/containernetworking/plugins/plugins/meta/portmap: CNI portmap plugin: HostPort forwarding vulnerability allows traffic interception2025-12-09

🕵️Threat Intelligence

1
Wiz
CVE-2025-67499 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-67499 — Sensitive Information Exposure | cvebase