Refine your search
1 vulnerability found for by kgateway-dev
CVE-2025-64323 (GCVE-0-2025-64323)
Vulnerability from cvelistv5
Published
2025-11-07 03:18
Modified
2025-11-07 17:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kgateway-dev | kgateway |
Version: >= 2.1.0-agw-cel-rbac, < 2.1.0 Version: < 2.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T17:49:21.697473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T17:50:53.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kgateway",
"vendor": "kgateway-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0-agw-cel-rbac, \u003c 2.1.0"
},
{
"status": "affected",
"version": "\u003c 2.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T03:18:48.993Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r"
},
{
"name": "https://github.com/kgateway-dev/kgateway/issues/10651",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kgateway-dev/kgateway/issues/10651"
},
{
"name": "https://github.com/kgateway-dev/kgateway/pull/12471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kgateway-dev/kgateway/pull/12471"
},
{
"name": "https://github.com/kgateway-dev/kgateway/pull/12535",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kgateway-dev/kgateway/pull/12535"
}
],
"source": {
"advisory": "GHSA-4766-x535-jw3r",
"discovery": "UNKNOWN"
},
"title": "kgateway is missing xDS authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64323",
"datePublished": "2025-11-07T03:18:48.993Z",
"dateReserved": "2025-10-30T17:40:52.027Z",
"dateUpdated": "2025-11-07T17:50:53.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}