{"id":"GHSA-jv3w-x3r3-g6rm","summary":"CNA Plugins Portmap nftables backend can intercept non-local traffic","details":"### Background\n\nThe CNI `portmap` plugin allows containers to emulate opening a host port, forwarding that traffic to the container. For example, if a host has the IP 198.51.100.42, a container may request that all packets to `198.51.100.42:53` be forwarded to the container's network.\n\n### Vulnerability\n\nWhen the `portmap` plugin is configured with the `nftables` backend, it inadvertently forwards all traffic with the same destination port as the host port, **ignoring the destination IP**. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node.\n\nIn the given example above, traffic destined to port 53 but for a _separate container_ would still be captured and forwarded, even though it was not destined for the host.\n\n### Impact\n\nContainers (i.e. kubernetes pods) that request HostPort forwarding can intercept all traffic destined for that port. This requires that the `portmap` plugin be explicitly configured to use the `nftables` backend. (The `iptables` backend is the default.)\n\n### Patches\nThis is fixed as of CNI plugins v1.9.0\n\n### Workarounds\nConfigure the `portmap` plugin to use the `iptables` backend. It does not have this vulnerability.","aliases":["CVE-2025-67499","GO-2025-4222"],"modified":"2026-02-04T02:52:56.600366Z","published":"2025-12-09T17:18:59Z","related":["CGA-fw2j-7wj8-qqwr"],"database_specific":{"nvd_published_at":"2025-12-10T00:16:11Z","github_reviewed":true,"github_reviewed_at":"2025-12-09T17:18:59Z","severity":"MODERATE","cwe_ids":["CWE-200"]},"references":[{"type":"WEB","url":"https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67499"},{"type":"WEB","url":"https://github.com/containernetworking/plugins/pull/1210"},{"type":"WEB","url":"https://github.com/containernetworking/plugins/commit/9b3772e1a7abf93cbb7c6526a28bc0d27b830e02"},{"type":"PACKAGE","url":"https://github.com/containernetworking/plugins"},{"type":"WEB","url":"https://github.com/containernetworking/plugins/releases/tag/v1.9.0"}],"affected":[{"package":{"name":"github.com/containernetworking/plugins","ecosystem":"Go","purl":"pkg:golang/github.com/containernetworking/plugins"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.6.0"},{"fixed":"1.9.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-jv3w-x3r3-g6rm/GHSA-jv3w-x3r3-g6rm.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H"}]}