PT-2025-47037 · Go · Github.Com/Kgateway-Dev/Kgateway/V2

Published

2025-11-04

·

Updated

2025-11-04

CVSS v3.1

6.3

Medium

VectorAV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Summary

The transformation policy template feature in Kgateway versions through 2.0.4 allows users with TrafficPolicy creation permissions to craft transformations that read and expose arbitrary files from the dataplane container filesystem.

Description

Impact

Users with permissions to create a TrafficPolicy can create a transformation that returns files from within the dataplane container. While no secrets are mounted to the container by default, users who mount custom volumes to the dataplane should be aware of potential data exposure through this vulnerability.
This could allow unauthorized access to:
  • Configuration files within the container
  • Custom mounted volumes and their contents
  • Any files accessible to the dataplane container process
Note: Updated availability score to high, as under some configurations this can prevent xDS updates.

Patches

Upgrade to version 2.0.5 or 2.1.0. These versions include an updated transformation filter in envoy-gloo that prevents file access through transformation templates.

Workarounds

If you are not using transformations, you can disallow TrafficPolicy creation or restrict transformation usage using a ValidatingAdmissionPolicy to prevent exploitation while preparing to upgrade.

References

Credits

Kindly reported by @rikatz

For More Information

If you have any questions or comments about this advisory, please reach out in slack https://cloud-native.slack.com/archives/C080D3PJMS4

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

GHSA-5PMX-7R6R-WFQQ

Affected Products

Github.Com/Kgateway-Dev/Kgateway/V2