CVE-2025-54470: 
Wolfi vulnerability analysis and mitigation

NeuVector telemetry sender (CVE-2025-54470) is a security vulnerability discovered in NeuVector deployments that affects versions 5.3.0 through 5.3.4 and 5.4.0 through 5.4.6. The vulnerability was disclosed on October 21, 2025, and impacts the telemetry data transmission functionality when the 'Report anonymous cluster data' option is enabled (GitHub Advisory).

The vulnerability stems from two critical security issues in the telemetry sender component: First, NeuVector fails to enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server at https://upgrades.neuvector-upgrade-responder.livestock.rancher.io, making it susceptible to man-in-the-middle (MITM) attacks. Second, the application loads telemetry server responses into memory without size limitations. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H (GitHub Advisory).

The vulnerability can lead to two primary security impacts: 1) Due to the lack of TLS certificate verification, attackers could potentially intercept or modify the transmitted telemetry data through man-in-the-middle attacks. 2) The unlimited memory allocation for server responses makes the system vulnerable to Denial of Service (DoS) attacks, which could lead to system resource exhaustion (GitHub Advisory).

The vulnerability has been patched in versions 5.3.5 and 5.4.7 and above. The security improvements include enforcing TLS certificate chain and hostname verification during the handshake process, and limiting telemetry server responses to 256 bytes. For users unable to update immediately, a temporary workaround is available by disabling the 'Report anonymous cluster data' option through Settings → Configuration → Report anonymous cluster data in the NeuVector UI (GitHub Advisory).