GHSA-24qp-4xx8-3jvj · Severity: low · Ecosystem: go — Cilium East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.
Conclusion & alert: CVE-2025-30162 is rated Low Risk (16.3/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.20%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.01% | 0.20% | +0.18% |
| 2 | 2025-03-25 | — | 0.01% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 3.2 | 3.1 | LOW |
|
1.4 | 1.4 | [email protected] |
| 4.3 | 3.1 | MEDIUM |
|
2.5 | 1.4 | [email protected] |
GHSA-24qp-4xx8-3jvj · Severity: low · Ecosystem: go — Cilium East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2025-30162 |
| URL | Tags |
|---|---|
| https://docs.cilium.io/en/stable/network/lb-ipam | Product |
| https://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj | Mitigation Patch Third Party Advisory |
| https://github.com/cilium/proxy/pull/1172 | Patch |