CVE-2025-67499
📋 TL;DR
The CNI portmap plugin versions 1.6.0-1.8.0 with nftables backend incorrectly forward all traffic on a host port to containers requesting HostPort forwarding, ignoring destination IP. This allows containers to intercept traffic intended for other containers or the node itself. Only systems using the portmap plugin with explicit nftables backend configuration are affected.
💻 Affected Systems
- containernetworking/plugins portmap plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious container intercepts all traffic on critical ports (e.g., SSH, API endpoints), enabling data theft, man-in-the-middle attacks, or service disruption across the node.
Likely Case
Container unintentionally receives traffic meant for other containers, causing service failures or exposing sensitive data to unauthorized containers.
If Mitigated
With proper network segmentation and container isolation, impact is limited to traffic within the affected node's network segment.
🎯 Exploit Status
Exploitation requires ability to deploy containers with HostPort forwarding on vulnerable nodes. No authentication bypass needed beyond container deployment permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.0
Vendor Advisory: https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm
Restart Required: Yes
Instructions:
1. Update CNI plugins to version 1.9.0 or later. 2. Restart all containers using portmap plugin. 3. Verify nftables rules are correctly filtering by destination IP.
🔧 Temporary Workarounds
Switch to iptables backend
linuxConfigure portmap plugin to use iptables backend instead of nftables backend
Edit CNI configuration to set "backend": "iptables" in portmap plugin config
🧯 If You Can't Patch
- Isolate affected nodes from sensitive network segments
- Implement network policies to restrict container-to-container communication
🔍 How to Verify
Check if Vulnerable:
Check CNI plugin version and portmap configuration: 1. Verify CNI plugin version is 1.6.0-1.8.0. 2. Check if portmap plugin config has "backend": "nftables".Check Version:
cni-plugin --version | grep portmapVerify Fix Applied:
1. Confirm CNI plugin version is 1.9.0+. 2. Verify nftables rules include destination IP filtering for portmap rules. 3. Test that containers only receive traffic destined for their specific IP.📡 Detection & Monitoring
Log Indicators:
- Unexpected traffic patterns in container network logs
- Portmap plugin error logs indicating misconfigured rules
Network Indicators:
- Traffic on host ports being received by multiple containers
- Unexpected network flows between containers sharing host ports
SIEM Query:
source="kubelet" AND "portmap" AND ("nftables" OR "misconfigured")