CVE-2025-54470

Name of the Vulnerable Software and Affected Versions NeuVector versions prior to 5.4.7

Description NeuVector deployments are affected when the Report anonymous cluster data option is enabled. Without TLS certificate verification, the communication channel to the telemetry server at https://upgrades.neuvector-upgrade-responder.livestock.rancher.io is susceptible to man-in-the-middle (MITM) attacks, potentially allowing an attacker to intercept or modify data. Additionally, NeuVector loads the telemetry server’s response into memory without a size limitation, creating a potential Denial of Service (DoS) attack vector. The telemetry server’s TLS certificate chain and hostname are not verified during the handshake process.

Recommendations Versions prior to 5.4.7 should be updated to version 5.4.7 or later. As a temporary workaround, disable the Report anonymous cluster data option in the NeuVector UI under Settings -> Configuration -> Report anonymous cluster data.