CVE-2025-67499

CVSS v3.1

6.6

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Name of the Vulnerable Software and Affected Versions CNI portmap plugin versions 1.6.0 through 1.8.0

Description The CNI portmap plugin flaw allows containers to intercept traffic not intended for the node. This occurs when the plugin is configured with the nftables backend, inadvertently forwarding all traffic with the same destination port as the host port, regardless of the destination IP address. Containers requesting HostPort forwarding can intercept all traffic destined for that port. This requires explicit configuration of the portmap plugin to use the nftables backend.

Recommendations Configure the portmap plugin to use the iptables backend for versions 1.6.0 through 1.8.0. Update to version 1.9.0 for versions 1.6.0 through 1.8.0.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

BDU:2026-03462

CLEANSTART-2026-KY75084

CLEANSTART-2026-TO88856

CVE-2025-67499

GHSA-JV3W-X3R3-G6RM

GO-2025-4222

OPENSUSE-SU-2026:10261-1

SUSE-SU-2026:0037-1

Affected Products

Alt Linux

Cni Portmap Plugin

Red Os

CVE-2025-67499

Weakness Enumeration

Related Identifiers

Affected Products

References · 137