Search criteria
1 vulnerability by kgateway-dev
CVE-2025-64323 (GCVE-0-2025-64323)
Vulnerability from cvelistv5 – Published: 2025-11-07 03:18 – Updated: 2025-11-07 17:50
VLAI?
Title
kgateway is missing xDS authorization
Summary
kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kgateway-dev | kgateway |
Affected:
>= 2.1.0-agw-cel-rbac, < 2.1.0
Affected: < 2.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T17:49:21.697473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T17:50:53.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kgateway",
"vendor": "kgateway-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0-agw-cel-rbac, \u003c 2.1.0"
},
{
"status": "affected",
"version": "\u003c 2.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T03:18:48.993Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r"
},
{
"name": "https://github.com/kgateway-dev/kgateway/issues/10651",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kgateway-dev/kgateway/issues/10651"
},
{
"name": "https://github.com/kgateway-dev/kgateway/pull/12471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kgateway-dev/kgateway/pull/12471"
},
{
"name": "https://github.com/kgateway-dev/kgateway/pull/12535",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kgateway-dev/kgateway/pull/12535"
}
],
"source": {
"advisory": "GHSA-4766-x535-jw3r",
"discovery": "UNKNOWN"
},
"title": "kgateway is missing xDS authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64323",
"datePublished": "2025-11-07T03:18:48.993Z",
"dateReserved": "2025-10-30T17:40:52.027Z",
"dateUpdated": "2025-11-07T17:50:53.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}