CVE-2025-23047 – CVE-2025-23047 is a Cross-Origin Resource Shari... (How to Fix)

Q: What is the severity of CVE-2025-23047?

CVE-2025-23047 has a CVSS score of 6.5 (MEDIUM). CVE-2025-23047 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability in Cilium's Hubble UI that allows malicious websites to access sensitive Kubernetes cluster configuration data. Affected users are those running vulnerable Cilium versions with Hubble UI deployed via Cilium CLI or Helm chart. The vulnerability requires a victim to visit a malicious page while having access to Hubble UI.

📋 TL;DR

CVE-2025-23047 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability in Cilium's Hubble UI that allows malicious websites to access sensitive Kubernetes cluster configuration data. Affected users are those running vulnerable Cilium versions with Hubble UI deployed via Cilium CLI or Helm chart. The vulnerability requires a victim to visit a malicious page while having access to Hubble UI.

💻 Affected Systems

Products:

Cilium

Versions: 1.14.0-1.14.7, 1.15.0-1.15.11, 1.16.0-1.16.4

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using Hubble UI via Cilium CLI or Helm chart. Cilium deployments without Hubble UI are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could exfiltrate complete Kubernetes cluster configuration including node names, IP addresses, workload metadata, and network configuration, enabling further attacks against the cluster infrastructure.

🟠

Likely Case

Limited data exposure of cluster metadata that could be used for reconnaissance and targeted attacks against specific workloads or nodes.

🟢

If Mitigated

No data exposure if Hubble UI is not internet-facing and users follow security best practices for web application access.

🌐 Internet-Facing: HIGH - Hubble UI exposed to internet with vulnerable CORS configuration allows cross-origin attacks from any malicious website.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this via phishing or malicious internal sites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (visiting malicious page) and access to Hubble UI. No authentication bypass needed beyond Hubble UI access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Cilium v1.14.18, v1.15.12, v1.16.5

Vendor Advisory: https://github.com/cilium/cilium/security/advisories/GHSA-h78m-j95m-5356

Restart Required: Yes

Instructions:

1. Update Cilium to patched version using your deployment method (Helm, CLI, or operator). 2. Restart Cilium components. 3. Verify Hubble UI is functioning correctly after update.

🔧 Temporary Workarounds

Remove CORS headers from Helm template

linux

Manually modify Helm templates to remove vulnerable CORS headers as shown in the security advisory patch

# Apply patch from commit a3489f190ba6e87b5336ee685fb6c80b1270d06d
# Or manually remove CORS headers from Hubble UI Helm templates

🧯 If You Can't Patch

Restrict Hubble UI access to trusted networks only using network policies or firewalls
Implement additional authentication/authorization layers for Hubble UI access

🔍 How to Verify

Check if Vulnerable:

Check Cilium version and Hubble UI deployment method. If using affected versions with Hubble UI via CLI/Helm, you are vulnerable.

Check Version:

cilium version | grep -i cilium

Verify Fix Applied:

Verify Cilium version is patched (1.14.18+, 1.15.12+, or 1.16.5+) and test Hubble UI functionality

📡 Detection & Monitoring

Log Indicators:

Unusual cross-origin requests to Hubble UI endpoints
Multiple failed CORS preflight requests

Network Indicators:

Cross-origin requests to Hubble UI from unexpected domains
Sensitive data in cross-origin responses

SIEM Query:

web_access_logs destination_uri="/api/v1/*" AND user_agent CONTAINS "malicious-domain.com" AND status=200

📊 Metadata

CVE ID: CVE-2025-23047

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.04% exploit probability (12.9th percentile)

Published: January 22, 2025

Last Updated: September 3, 2025

🔗 References

https://github.com/cilium/cilium/commit/a3489f190ba6e87b5336ee685fb6c80b1270d06d Patch
https://github.com/cilium/cilium/security/advisories/GHSA-h78m-j95m-5356 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23047, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cilium by Cilium

Cilium by Cilium

Cilium by Cilium

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove CORS headers from Helm template

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities