CVE-2025-23047: 
Cilium vulnerability analysis and mitigation

An insecure default Access-Control-Allow-Origin header value in Cilium versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4 could lead to sensitive data exposure for users who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart. The vulnerability was discovered and disclosed on January 22, 2025, affecting the Hubble UI component of Cilium, which is a networking, observability, and security solution with an eBPF-based dataplane (NVD, GitHub Advisory).

The vulnerability stems from an insecure configuration in the CORS (Cross-Origin Resource Sharing) headers of the Hubble UI component. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This indicates that while the vulnerability is network-accessible and requires low attack complexity, it does need user interaction to be exploited. The vulnerability is tracked as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (GitHub Advisory).

A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring. The exposed information includes node names, IP addresses, and other metadata about workloads and the cluster networking configuration. The exploitation requires a victim to first visit a malicious page (GitHub Advisory).

The issue has been fixed in Cilium versions v1.14.18, v1.15.12, and v1.16.5. As a workaround, users who deploy Hubble UI using the Cilium Helm chart directly can remove the CORS headers from the Helm template as shown in the patch from commit a3489f190ba6e87b5336ee685fb6c80b1270d06d (NVD, GitHub Commit).

The Cilium community worked together with members of Isovalent to prepare the mitigations. Special acknowledgment was given to @ciffelia for reporting this issue and to @geakstr for providing the fix (GitHub Advisory).