GHSA-5vxx-c285-pcq4: In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-32793

In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters

Moderate severity GitHub Reviewed Published Apr 21, 2025 in cilium/cilium • Updated Apr 21, 2025

Package

gomod github.com/cilium/cilium (Go)

Affected versions

>= 1.13.0, < 1.15.16

>= 1.16.0, < 1.16.9

>= 1.17.0, < 1.17.3

Patched versions

1.15.16

1.16.9

1.17.3

Impact

When using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium.

Patches

This issue has been patched in cilium/cilium#38592.

This issue affects:

• Cilium v1.15 between v1.15.0 and v1.15.15 inclusive
• Cilium v1.16 between v1.16.0 and v1.16.8 inclusive
• Cilium v1.17 between v1.17.0 and v1.17.2 inclusive

This issue is fixed in:

• Cilium v1.15.16
• Cilium v1.16.9
• Cilium v1.17.3

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @gandro and @pippolo84 for reporting this issue and to @julianwiedmann for the patch.

For more information

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

References

• GHSA-5vxx-c285-pcq4
• cilium/cilium#38592
• cilium/cilium@e8543ee

Published to the GitHub Advisory Database

Apr 21, 2025

Last updated

Apr 21, 2025