Medium severity5.3OSV Advisory· Published Nov 7, 2025· Updated Apr 15, 2026
CVE-2025-64323
CVE-2025-64323
Description
kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kgateway-dev/kgateway/v2Go | >= 2.1.0-agw-cel-rbac, < 2.1.0 | 2.1.0 |
github.com/kgateway-dev/kgateway/v2Go | < 2.0.5 | 2.0.5 |
Affected products
2- Range: 0.5.0, 0.5.1, 1.3.10, …
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-4766-x535-jw3rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64323ghsaADVISORY
- github.com/kgateway-dev/kgateway/issues/10651nvdWEB
- github.com/kgateway-dev/kgateway/pull/12471nvdWEB
- github.com/kgateway-dev/kgateway/pull/12535nvdWEB
- github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3rnvdWEB
News mentions
0No linked articles in our index yet.