Cilium is a popular open-source networking, observability, and security solution that uses eBPF (extended Berkeley Packet Filter) for its dataplane. Cilium's flexibility and performance make it well-suited for use in Kubernetes clusters. However, as with any complex software, Cilium is not without its share of security vulnerabilities. This post will explore a recently discovered vulnerability in Cilium's Hubble UI component, tagged as CVE-2025-23047.

Affected Versions

Cilium versions 1.14. through 1.14.7, 1.15. through 1.15.11, and 1.16. through 1.16.4 are affected by this vulnerability.

Exploit Details

This vulnerability is caused by an insecure default Access-Control-Allow-Origin header value in Cilium's Hubble UI component. For users deploying Hubble UI using either the Cilium CLI or via the Cilium Helm chart, this could lead to sensitive data exposure.

The CORS (Cross-Origin Resource Sharing) headers in the Cilium Helm chart template

accessControlAllowOrigin: "\"*\""

The issue arises from the fact that the default value allows any domain to request resources and access the data from the Hubble UI. This effectively means that any website you visit could potentially access your Hubble UI's data.

An attacker with access to an affected Hubble UI instance could potentially extract sensitive information about the Kubernetes cluster that the UI is monitoring, such as node names, IP addresses, and metadata about workloads and the cluster networking configuration.

To exploit this vulnerability, a victim would have to first visit a malicious website that would then access the sensitive data exposed by the insecure header value.

Solution and Workarounds

This issue has been fixed in Cilium versions v1.14.18, v1.15.12, and v1.16.5. Updating to these versions is the recommended course of action.

As a workaround, users who deploy Hubble UI using the Cilium Helm chart directly can remove the CORS headers from the Helm template. The patch from commit a3489f190ba6e87b5336ee685fb6c80b127d06d demonstrates how to do this:

--- a/hubble-ui/templates/ingress.yaml
+++ b/hubble-ui/templates/ingress.yaml
@@ -23,7 +23,6 @@ spec:
     nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
 {{- end }}
     kubernetes.io/ingress.class: {{ .Values.ingress.className }}
-    nginx.ingress.kubernetes.io/configuration-snippet: 'more_set_headers "Access-Control-Allow-Origin: {{ .Values.ingress.accessControlAllowOrigin }}";'
 {{- with .Values.ingress.annotations }}
 {{ toYaml . | indent 4 }}
 {{- end }}

Removing these headers will prevent any domain from requesting resources from the Hubble UI, effectively mitigating the vulnerability.

Conclusion

Security vulnerabilities are an unfortunate part of the software development lifecycle, but by staying informed, updating to the latest versions, and applying workarounds when needed, we can keep our systems secure. CVE-2025-23047 may have shown that even a seemingly minor issue like a default value can lead to sensitive data exposure, but it also highlights the importance of keeping up to date with security patches and being proactive in addressing vulnerabilities.

Timeline

Published on: 01/22/2025 18:15:21 UTC