Moderate severityNVD Advisory· Published Apr 21, 2025· Updated Apr 21, 2025
Cilium packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters
CVE-2025-32793
Description
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium. This issue has been patched in versions 1.15.16, 1.16.9, and 1.17.3. There are no workarounds available for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cilium/ciliumGo | >= 1.13.0, < 1.15.16 | 1.15.16 |
github.com/cilium/ciliumGo | >= 1.16.0, < 1.16.9 | 1.16.9 |
github.com/cilium/ciliumGo | >= 1.17.0, < 1.17.3 | 1.17.3 |
Affected products
23- osv-coords22 versionspkg:apk/chainguard/cilium-1.14-container-initpkg:apk/chainguard/cilium-1.14-container-init-compatpkg:apk/chainguard/cilium-1.14-iptablespkg:apk/chainguard/cilium-fips-1.14-compatpkg:apk/chainguard/cilium-fips-1.14-container-initpkg:apk/chainguard/cilium-fips-1.14-container-init-compatpkg:apk/chainguard/cilium-fips-1.14-iptablespkg:apk/chainguard/hubblepkg:apk/chainguard/hubble-compatpkg:apk/chainguard/hubble-fipspkg:apk/chainguard/hubble-fips-compatpkg:apk/chainguard/hubble-ui-backend-fipspkg:apk/wolfi/cilium-1.14-container-initpkg:apk/wolfi/cilium-1.14-container-init-compatpkg:apk/wolfi/cilium-1.14-iptablespkg:apk/wolfi/hubblepkg:apk/wolfi/hubble-compatpkg:bitnami/ciliumpkg:bitnami/cilium-operatorpkg:bitnami/hubble-relaypkg:golang/github.com/cilium/ciliumpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 1.14.19-r34+ 21 more
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.19-r56
- (no CPE)range: < 1.14.19-r56
- (no CPE)range: < 1.14.19-r56
- (no CPE)range: < 1.14.19-r56
- (no CPE)range: < 1.17.2-r2
- (no CPE)range: < 1.17.2-r2
- (no CPE)range: < 1.17.2-r2
- (no CPE)range: < 1.17.2-r2
- (no CPE)range: < 0.13.2-r6
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.17.2-r2
- (no CPE)range: < 1.17.2-r2
- (no CPE)range: >= 1.13.0, < 1.17.3
- (no CPE)range: >= 1.13.0, < 1.17.3
- (no CPE)range: >= 1.13.0, < 1.17.3
- (no CPE)range: >= 1.13.0, < 1.15.16
- (no CPE)range: < 0.0.20250422T181640-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-5vxx-c285-pcq4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32793ghsaADVISORY
- github.com/cilium/cilium/commit/e8543eef05126e9ba8a845dc74e96f4e30f6dba9ghsaWEB
- github.com/cilium/cilium/pull/38592ghsax_refsource_MISCWEB
- github.com/cilium/cilium/security/advisories/GHSA-5vxx-c285-pcq4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.