Description

The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability.

INFO

Published Date :

2025-12-09T23:13:22.398Z

Last Modified :

2025-12-10T16:50:10.430Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-67499 vulnerability.

Vendors Products
Linuxfoundation
  • Cni Network Plugins
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67499.

URL Resource
https://github.com/containernetworking/plugins/pull/1210 cve-icon cve-icon cve-icon
https://github.com/containernetworking/plugins/releases/tag/v1.9.0 cve-icon cve-icon cve-icon
https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-67499 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-67499 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact