d=gmail.com; s=20230601; t=1764609617; x=1765214417; darn=archlinux.ch; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:to:subject :message-id:date:from:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=WVbMGYV/tHUhhpQDpS92BpQGJJFgpynWd32k0IjvzLI=; b=DX+DG5KVA863JGeg2B7BE1A9a3Zx9RyQ+ZJtUsf7SKXy0KF5Z7HvSavG0h5mY2ZNXM RHGguml2ZKG8m2BwR3ihdlqVR8c95ArAKUu+K1hTeS7JdigF5uYVNGXJrvvbwYYOU/ER i6XXGzyBHaPU0QwK/wDxFAUO9bKP4cePX0AXDUXJOBiX2p61pYr+RjVjAnfThsk88iSd bgU1/6myL0NislJu3wTGRN356vpsS7ZGqTppkUMLEw5LstId0ORMB0P4ij8QgGql3ttt qFdJ3Xvr0eErZsu74s6iefK5pnbbJHRv2RGCsnUjghhQcP85kr0I4GyTuHWI2yVNQRct zRXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764609617; x=1765214417; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:to:subject :message-id:date:from:mime-version:x-gm-gg:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=WVbMGYV/tHUhhpQDpS92BpQGJJFgpynWd32k0IjvzLI=; b=XSwPVF4TOmflpZrGDBYWn7L6gT20llb9cZx+RaWedkyZg3H6hWCMN9BWnBin86ENIQ X0pQQnC5z6L3Lw1hNVPM4qxQVfnJ2dQHYf7qIZlIlbSJIuvovRE/mxUW5Jb43AU1Bkj/ hfQoSEHCzT4mcCR6YRxe/YC2F5VGpF8fg3Zcr2GJIcpOStcHuRkexlf9JU8/hc4HjWtm 2xByDUsEo2GexbgmIynpMIGoYUfv9n0YRvvPAyKF04d+ocIhhQKzMFqT0zoFn50RhPat t86ygn4h06va18k2gRTInnxRier5Mg9YQ8BklbW/06KDZlCWGP/KehsUfbuMHMkkxjC6 r6Fg== Sender: kubernetes-announce@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCUlXxZvUOlm9AM7C/KwFKn9AQ2gXIrvR0bdgYqgUXi+qLBsUQQ6SzaL89h8N4MJThWxJHvqlZZCXrU=@archlinux.ch X-Gm-Message-State: AOJu0Yy0AnBIQGt9xntvASqePMHJ0O+9l0wgeYEudMg10Owm6dbUN+i8 svmHGSPMuXaN1EUygAqz3i3+2AF6Xjnwe5eJ1FbM4QuW10DA2r2TZIEe X-Google-Smtp-Source: AGHT+IEj8fgCCxAF85lLHzcQ8MQpHTccdDGXiPA5zpZB3BEdehilb0VCqSMBUizVoo6SqcC7UNPeaw== X-Received: by 2002:a05:6512:68e:b0:592:fcad:4a11 with SMTP id 2adb3069b0e04-596b4e4b9c6mr9047609e87.7.1764609616739; Mon, 01 Dec 2025 09:20:16 -0800 (PST) X-BeenThere: kubernetes-announce@googlegroups.com; h="Ae8XA+Z/DEr36SXGMsQBe3eDJ3fGmmUX1PcnsmlqnbErug2P/Q==" Received: by 2002:a05:6512:4141:b0:596:bdb9:a27e with SMTP id 2adb3069b0e04-596bdb9a2a7ls1060959e87.0.-pod-prod-09-eu; Mon, 01 Dec 2025 09:19:58 -0800 (PST) X-Received: by 2002:a2e:9813:0:b0:37b:b849:31c3 with SMTP id 38308e7fff4ca-37d0799b559mr62140861fa.44.1764609597643; Mon, 01 Dec 2025 09:19:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1764609597; cv=none; d=google.com; s=arc-20240605; b=f0iht4NNXDpLWAJJPDfem0XO0TEf4tsGVgMjqV/QX9M4Xg29QQiIuimRge1trVBsiQ ODDk2uzsOtYjn4FSzEo9e43xJftT0qRb++UpdyVOGZZgwB9P+PRMybfbwyS6NL4U5TB0 B5JOZqger/nc9IVrf3TY0tGT/OiREyPrjsp+zsPjXICYHEBHJjy8HJTy7eIqNh72uJsR rc2ND3DOgwQSnNBBrHyZY3OqYGI4+lEXOUPMgoPjQ3FL2/csnWuXEJ6a/iAlC06HHInx l3G77B/1pPVf+c5ue70m7wnJ8Fr2GdxaAhJ33ps/W5utEmYIo1xNSVLjt/OvAOZEMnAa i7jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=MYyinHT4ECW6wAbMbFy7SaRzwcCM+Xf7xq6QcO1aoCE=; fh=qczVMOSdoBUnxuV+WaeCvpSmu3uL+WQh8Mbp8wHcx5Q=; b=NqFbA7ClDzw8k2ZFtcsLvTt/oSHzc4ZXsG0+8CHX8luoltdp50IndnjNawNMXnpaDo Mdq+q8tM10O+8sgyWAqgV/elHqb+6t2X5GPkgmQFrR9ZvyfW6t9KScnG3HrQUD1IH3li +Y97AaytDA9gPYhSeaIGz/RNM13rc6+YqxvSC1Y0cKmovYbiHAtjWfcfOpCx2ixnVeP8 uT70TFpdHb3Jp0XW7YfsJ4iOvzAE8lRM8JE/PRQxGxJ55HWoZUPPinFb1BcINDXum/r8 L9ocBNE+E+R45I7O/+iQI7H8w9p3UUuEI/zsDzCAHS8ugnFgr53fCl4PtHd2JoKO35Zk VaZA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="d38/RFMo"; spf=pass (google.com: domain of nathan.herz97@gmail.com designates 2a00:1450:4864:20::131 as permitted sender) smtp.mailfrom=nathan.herz97@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com. [2a00:1450:4864:20::131]) by gmr-mx.google.com with ESMTPS id 38308e7fff4ca-37d236ad495si1465991fa.1.2025.12.01.09.19.57 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Dec 2025 09:19:57 -0800 (PST) Received-SPF: pass (google.com: domain of nathan.herz97@gmail.com designates 2a00:1450:4864:20::131 as permitted sender) client-ip=2a00:1450:4864:20::131; Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-59581e32163so4064969e87.1 for ; Mon, 01 Dec 2025 09:19:57 -0800 (PST) X-Gm-Gg: ASbGncuV3G7MAEMYSeD+/5xKI9ES3Qw3laPPiXqwJc5GmgoBEKNHb9cWhn2oHPY8gsW mDhMrEE9BZOPWZ1FtGVC+sb9K9doaqP0BW5+WgNHHJ+I4g6N0u3FBDxQE1BsCFYlQNMtV3Kb6NQ z5i4tWXs8Tfn3CVl3gBl8yCvmNbf2AAace3j+tsU89ON8krZTlswWgP93EoKoMmkq+j9AxHq5pf GC4faU9sKjZU1Ldbn6292NtlrSr6in/FeiX349dUZNgrhrWFJeBTxKKydBdw/tgpb0ibkg= X-Received: by 2002:a05:6512:1047:b0:594:4e9f:98ec with SMTP id 2adb3069b0e04-596b4e5b445mr9157067e87.20.1764609596404; Mon, 01 Dec 2025 09:19:56 -0800 (PST) MIME-Version: 1.0 From: Nathan Herz Date: Mon, 1 Dec 2025 09:19:44 -0800 X-Gm-Features: AWmQ_bl-868N9WH7vwhqXEAeINhDT7i_7cqXBmGaRmff4V73eiHbeArNaI_HXmo Message-ID: Subject: [kubernetes-announce] [Security Advisory] CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager To: kubernetes-announce@googlegroups.com, dev@kubernetes.io, kubernetes-security-announce@googlegroups.com, kubernetes-security-discuss@googlegroups.com, distributors-announce@kubernetes.io Content-Type: multipart/alternative; boundary="0000000000002939810644e730bc" X-Original-Sender: nathan.herz97@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="d38/RFMo"; spf=pass (google.com: domain of nathan.herz97@gmail.com designates 2a00:1450:4864:20::131 as permitted sender) smtp.mailfrom=nathan.herz97@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Reply-To: kubernetes-announce+managers@googlegroups.com Precedence: list Mailing-list: list kubernetes-announce@googlegroups.com; contact kubernetes-announce+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: kubernetes-announce@googlegroups.com X-Google-Group-Id: 989743197474 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-DKIM: signer='googlegroups.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-DKIM: signer='gmail.com' status='pass' reason='' X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (1.8 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: googlegroups.com] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [nathan.herz97[at]gmail.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [209.85.167.62 listed in list.dnswl.org] 1.5 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 18 --0000000000002939810644e730bc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Kubernetes Community, A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane=E2=80=99s host network (includin= g link-local or loopback services). The in-tree Portworx StorageClass has been disabled by default starting in version v1.31 from the CSIMigrationPortworx feature gate. As a result, currently supported versions greater than or equal to v1.32 are not impacted unless the CSIMigrationPortworx feature gate is disabled with an override. This issue has been rated Medium (5.8) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N , and assigned CVE-2025-13281. Am I vulnerable? You may be vulnerable if all of the following are true: - You are running a vulnerable version and have manually disabled the CSIMigrationPortworx feature gate. - There are unprotected endpoints normally only visible from the control plane=E2=80=99s host network (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in th= e control plane=E2=80=99s private network). - Untrusted users can create pods with the affected Portworx volume type. Affected Versions The CSIMigrationPortworx feature gate was enabled by default starting on version v1.31. As a result, EOL versions <=3D v1.30 are more likely to be vulnerable because the CSIMigrationPortworx feature is disabled by default. - kube-controller-manager: <=3D v1.30.14 - kube-controller-manager: <=3D v1.31.14 - kube-controller-manager: <=3D v1.32.9 - kube-controller-manager: <=3D v1.33.5 - kube-controller-manager: <=3D v1.34.1 How do I mitigate this vulnerability? This issue can be mitigated by upgrading to a fixed kube-controller-manager version or by enabling the CSIMigrationPortworx feature gate (if it was overridden from its default value in versions greater than equal to v1.31). Fixed Versions - kube-controller-manager: >=3D v1.32.10 - kube-controller-manager: >=3D v1.33.6 - kube-controller-manager: >=3D v1.34.2 Detection This issue can be detected on clusters which have the CSIMigrationPortworx feature gate disabled on impacted versions by analyzing ProvisioningFailed events from kube-controller-manager which may contain sensitive information from the control plane=E2=80=99s host network. If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/135525 Acknowledgements The issue was fixed and coordinated by: - Ankit Gohil @gohilankit Thank You, Nathan Herz on behalf of the Kubernetes Security Response Committee --=20 You received this message because you are subscribed to the Google Groups "= kubernetes-announce" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to kubernetes-announce+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/kubernetes-= announce/CABrZYSCUw_uz3Xd%2BoiJ2W1cL%2BgSiHw9KC7ZmfAHYc-Lw%3De%2BNoA%40mail= .gmail.com. --0000000000002939810644e730bc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hello Kubernetes Community,


A half-blind Server= Side Request Forgery (SSRF) vulnerability exists in kube-controller-manage= r when using the in-tree Portworx StorageClass. This vulnerability allows a= uthorized users to leak arbitrary information from unprotected endpoints in= the control plane=E2=80=99s host network (including link-local or loopback= services).=C2=A0


The in-tree Portworx StorageClass has been= disabled by default starting in version v1.31 from the CSIMigrationPortwor= x feature gate. As a result, currently supported versions greater than or e= qual to v1.32 are not impacted unless the CSIMigrationPortworx feature gate= is disabled with an override.


This issue has been rated Medium (5.8) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N<= /a>, and assigned CVE-2025-13281.


Am I v= ulnerable?


You may be vulnerable if all of the following = are true:


  • You are running a vulne= rable version and have manually disabled the CSIMigrationPortworx f= eature gate.

  • There are unprotected endpoints normally only visible from the con= trol plane=E2=80=99s host network (including link-local metadata endpoints,= unauthenticated services listening on localhost, or other services in the = control plane=E2=80=99s private network).

  • Untrusted users can create pods with = the affected Portworx volume type.

<= br>

Affected Versions


The CSIMigrationPortworx= feature gate was enabled by default starting on version v1.31. As a result= , EOL versions <=3D v1.30 are more likely to be vulnerable because the C= SIMigrationPortworx feature is disabled by default.

  • kube-controller-manager: <=3D v1.30.14

  • kube-controller-manager: <=3D= v1.31.14=C2=A0

  • kube-controller-manager: <=3D v1.32.9=C2=A0

  • kube-controller-manager: <=3D= v1.33.5=C2=A0

  • kube-controller-manager: <=3D v1.34.1=C2=A0

How do I mitigate this vulnerability?


This issue can be m= itigated by upgrading to a fixed kube-controller-manager version or by enab= ling the CSIMigrationPortworx feature gate (if it was overridden from its d= efault value in versions greater than equal to v1.31).

Fixe= d Versions

  • kube-controller-manager: >= =3D v1.32.10

  • kube-controller-manager: >=3D v1.33.6

  • kube-controller-manager: >=3D v1.34.2=

Detection

This issue can b= e detected on clusters which have the CSIMigrationPortworx feature = gate disabled on impacted versions by analyzing ProvisioningFailed events f= rom kube-controller-manager which may contain sensitive information from th= e control plane=E2=80=99s host network.


If you find evidenc= e that this vulnerability has been exploited, please contact security@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/i= ssues/135525


Acknowledgements


The issue = was fixed and coordinated by:

  • Ankit Gohil @gohilankit
<= p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><= span style=3D"font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);= background-color:transparent;font-weight:400;font-style:normal;font-variant= :normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">= Thank You,


Nathan Herz on behalf of the Kubernetes Security = Response Committee


--
You received this message because you are subscribed to the Google Groups &= quot;kubernetes-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to kubernetes-announce+unsubscribe@googlegroups.com.
To view this discussion visit https://group= s.google.com/d/msgid/kubernetes-announce/CABrZYSCUw_uz3Xd%2BoiJ2W1cL%2BgSiH= w9KC7ZmfAHYc-Lw%3De%2BNoA%40mail.gmail.com.
--0000000000002939810644e730bc-- From - Mon Dec 01 20:14:38 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id oAsjHdrnLWn83zoAYBR5ng (envelope-from ); Mon, 01 Dec 2025 19:09:14 +0000 Return-path: Envelope-to: pfeifferj@archlinux.ch Delivery-date: Mon, 01 Dec 2025 19:09:17 +0000 Received: from dmz-zur-gw1-campaign.ubs.com ([165.222.56.152]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vQ9Gr-0000000GEMg-07Zq for pfeifferj@archlinux.ch; Mon, 01 Dec 2025 19:09:14 +0000 Received: from localhost (localhost [127.0.0.1]) by postfix.amavisd (Postfix) with ESMTP id 4dKtWk6BwWzYkvKY for ; Mon, 1 Dec 2025 20:00:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailing.ubs.com; h=content-type:content-type:list-unsubscribe :list-unsubscribe-post:message-id:x-mailer:mime-version:reply-to :date:date:subject:subject:from:from:received:received:received; s=srsa2048; t=1764615614; bh=JjrlZgVbGecr1tkh+/BtFiauyY4EfWwhkH dKMdyjXAA=; b=OuC566upfA0uIJ09IF9EVLJP/EsbDMinm5KYwg9eaoByBQuajy SzuxypqN6pxSAdPSZd1yz4O+83yI5jdi7YIFI70nuAZtU9ernKib87zqdnjZm+4g P+VWN/DQEffhmkUptIvwK2N6gYWMDyVu6HL1k+e/AZrBCN7nUBKtfrC4cGa/bOBB lR22/6VPZGap6oam0S8/ouQ20jY0VyLtLeGGkjmQgxIyCd3vjUmLVdXfrwBtTDUn g19Lr06su99whtM/hVxFvXjyUg0pYtY38IIHH8PkrMn/JnNEY/pxk/MvF1ty5BdS dlrVcYmPwf8Uc/X58ci1x6fJOGf+tgGdv/AQ== Received: from dmz-zur-gw1-campaign.ubs.com ([127.0.0.1]) by localhost (a317-5911-3645.zur.ub