PT-2025-45117 · Gateway · Gateway
Published
2025-11-04
·
Updated
2025-11-17
·
CVE-2025-64323
CVSS v3.1
5.3
Medium
| Vector | AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
kgateway versions 2.0.4 and below
kgateway versions 2.1.0-agw-cel-rbac through 2.1.0-rc.2
Description
kgateway, a Cloud-Native API and AI Gateway, is affected by a lack of authentication. This allows any client with network access to the xDS port to retrieve sensitive configuration data. The exposed data includes certificate data, backend service information, routing rules, and cluster metadata.
Recommendations
Update to version 2.0.5 or later.
Update to version 2.1.0 or later.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gateway