CVE-2025-64323
📋 TL;DR
kgateway versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication on the xDS port, allowing any client with network access to retrieve sensitive configuration data including certificates, backend services, routing rules, and cluster metadata. This affects organizations using vulnerable kgateway deployments, particularly those with internet-facing instances or insufficient network segmentation.
💻 Affected Systems
- kgateway
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain sensitive configuration data including TLS certificates, backend service credentials, and routing rules, enabling further attacks like service impersonation, credential theft, or infrastructure compromise.
Likely Case
Unauthorized access to configuration data reveals internal network architecture, service endpoints, and potentially sensitive metadata that could facilitate reconnaissance for targeted attacks.
If Mitigated
With proper network controls and segmentation, exposure is limited to authorized internal clients only, reducing risk to information disclosure within trusted boundaries.
🎯 Exploit Status
Exploitation requires network access to xDS port (default 18000). No authentication needed, making trivial for attackers with access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.5 or 2.1.0
Vendor Advisory: https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r
Restart Required: Yes
Instructions:
1. Identify affected kgateway instances. 2. Upgrade to version 2.0.5 or 2.1.0. 3. Restart kgateway services. 4. Verify xDS port now requires authentication.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to xDS port (default 18000) using firewall rules to only trusted sources.
iptables -A INPUT -p tcp --dport 18000 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 18000 -j DROP
Network Segmentation
allPlace kgateway instances in isolated network segments with strict ingress/egress controls.
🧯 If You Can't Patch
- Implement strict network access controls to limit xDS port access to authorized IPs only.
- Monitor network traffic to xDS port for unauthorized access attempts and implement alerting.
🔍 How to Verify
Check if Vulnerable:
Test if xDS port (default 18000) responds to unauthenticated requests from unauthorized network sources. Use curl or netcat to attempt connection without credentials.Check Version:
kgateway --version or check deployment configuration/container tagsVerify Fix Applied:
After patching, attempt to access xDS port without authentication - should be rejected. Verify version is 2.0.5 or 2.1.0.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to xDS port
- Failed authentication events on xDS interface
- Unusual configuration retrieval patterns
Network Indicators:
- Unexpected connections to port 18000 from unauthorized sources
- Large data transfers from xDS port to external IPs
SIEM Query:
source_port:18000 AND (dest_ip NOT IN [trusted_ips]) OR (auth_failure AND port:18000)