CVE-2025-30162

Name of the Vulnerable Software and Affected Versions Cilium versions 1.15.0 through 1.15.14 Cilium versions 1.16.0 through 1.16.7 Cilium versions 1.17.0 through 1.17.1

Description The issue affects Cilium users who use Gateway API for Ingress and LB-IPAM or BGP for LoadBalancer Service implementation, and also use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces. In such cases, egress traffic from workloads covered by these network policies to LoadBalancers configured by Gateway resources will be incorrectly allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected.

Recommendations For Cilium versions 1.15.0 through 1.15.14, update to version 1.15.15 to resolve the issue. For Cilium versions 1.16.0 through 1.16.7, update to version 1.16.8 to resolve the issue. For Cilium versions 1.17.0 through 1.17.1, update to version 1.17.2 to resolve the issue. As a temporary workaround for users who are unable to upgrade, a Clusterwide Cilium Network Policy can be used to mitigate this issue.