CVE-2025-13281
📋 TL;DR
A half-blind SSRF vulnerability in kube-controller-manager's Portworx StorageClass allows authorized Kubernetes users to access unprotected endpoints on the control plane's host network. This can leak sensitive information from link-local or loopback services. Only users with permissions to create StorageClass objects are affected.
💻 Affected Systems
- Kubernetes kube-controller-manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, cloud metadata endpoints, or internal APIs, potentially leading to credential theft, lateral movement, or data exfiltration.
Likely Case
Information disclosure from unprotected internal endpoints, potentially exposing configuration data, service discovery information, or limited internal network reconnaissance.
If Mitigated
Limited impact with proper network segmentation, host firewall rules, and minimal permissions following least privilege principles.
🎯 Exploit Status
Requires authorized user access and knowledge of internal endpoints to target
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kubernetes v1.30.0 and later, backported to v1.29.4, v1.28.9, v1.27.13
Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJ
Restart Required: Yes
Instructions:
1. Update Kubernetes to patched version. 2. Restart kube-controller-manager. 3. Verify StorageClass operations function correctly.
🔧 Temporary Workarounds
Disable Portworx in-tree StorageClass
allRemove or disable Portworx in-tree StorageClass usage
kubectl delete storageclass <portworx-storageclass-name>
kubectl annotate storageclass <name> storageclass.kubernetes.io/is-default-class=false
Implement Network Policies
linuxRestrict kube-controller-manager network access to only required endpoints
# Configure host firewall rules to restrict loopback access
# Implement Kubernetes Network Policies for control plane components
🧯 If You Can't Patch
- Implement strict RBAC to limit StorageClass creation permissions
- Configure host firewall rules to block unauthorized loopback and link-local access from kube-controller-manager
🔍 How to Verify
Check if Vulnerable:
Check if using Portworx in-tree StorageClass and Kubernetes version below patched releasesCheck Version:
kubectl version --shortVerify Fix Applied:
Verify Kubernetes version is v1.30.0+, v1.29.4+, v1.28.9+, or v1.27.13+ and test StorageClass operations📡 Detection & Monitoring
Log Indicators:
- Unusual StorageClass creation/modification events
- kube-controller-manager accessing unexpected local endpoints
Network Indicators:
- Unexpected outbound connections from control plane to internal services
- SSRF patterns in control plane network traffic
SIEM Query:
source="kube-controller-manager" AND (url="localhost:*" OR url="127.*" OR url="169.254.*" OR url="[::1]*")