CVE-2025-13281

Summary

A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetesv1.30.0 <= v1.30.14affected
KubernetesKubernetesv1.31.0 <= v1.31.14affected
KubernetesKubernetesv1.32.0 <= v1.32.9affected
KubernetesKubernetesv1.33.0 <= v1.33.5affected
KubernetesKubernetesv1.34.0 <= v1.34.1affected

Weaknesses

  • CWE-918: CWE-918 Server-Side Request Forgery (SSRF)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References