[Security Advisory] CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager

10 views
Skip to first unread message

Nathan Herz

unread,
Dec 1, 2025, 12:20:26 PM (2 days ago) Dec 1
to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io

Hello Kubernetes Community,


A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services). 


The in-tree Portworx StorageClass has been disabled by default starting in version v1.31 from the CSIMigrationPortworx feature gate. As a result, currently supported versions greater than or equal to v1.32 are not impacted unless the CSIMigrationPortworx feature gate is disabled with an override.


This issue has been rated Medium (5.8) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N, and assigned CVE-2025-13281.


Am I vulnerable?


You may be vulnerable if all of the following are true:


  • You are running a vulnerable version and have manually disabled the CSIMigrationPortworx feature gate.

  • There are unprotected endpoints normally only visible from the control plane’s host network (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the control plane’s private network).

  • Untrusted users can create pods with the affected Portworx volume type.


Affected Versions


The CSIMigrationPortworx feature gate was enabled by default starting on version v1.31. As a result, EOL versions <= v1.30 are more likely to be vulnerable because the CSIMigrationPortworx feature is disabled by default.

  • kube-controller-manager: <= v1.30.14

  • kube-controller-manager: <= v1.31.14 

  • kube-controller-manager: <= v1.32.9 

  • kube-controller-manager: <= v1.33.5 

  • kube-controller-manager: <= v1.34.1 

How do I mitigate this vulnerability?


This issue can be mitigated by upgrading to a fixed kube-controller-manager version or by enabling the CSIMigrationPortworx feature gate (if it was overridden from its default value in versions greater than equal to v1.31).

Fixed Versions

  • kube-controller-manager: >= v1.32.10

  • kube-controller-manager: >= v1.33.6

  • kube-controller-manager: >= v1.34.2

Detection

This issue can be detected on clusters which have the CSIMigrationPortworx feature gate disabled on impacted versions by analyzing ProvisioningFailed events from kube-controller-manager which may contain sensitive information from the control plane’s host network.


If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/135525


Acknowledgements


The issue was fixed and coordinated by:

  • Ankit Gohil @gohilankit

Thank You,


Nathan Herz on behalf of the Kubernetes Security Response Committee


Reply all
Reply to author
Forward
0 new messages