VDB
CVE-2025-13281
CVE-2025-13281
PUBLISHED
CVSS 5.800000190734863 MEDIUM
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
EPSS 0.01% · 1.5th percentile
Risk Scores
CVSS 3.1
5.800000190734863
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
EPSS Score
0.01%
1.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kubernetes | Kubernetes | 1.33.0, v1.31.0, v1.32.0 |
| k8s.io | kubernetes | 1.33.0-alpha.0, 1.34.0-alpha.0, 0 |
Timeline
- Nov 16, 2025 CVE ID Reserved
- Dec 1, 2025 PoC Published
- Dec 1, 2025 PoC Published
- Dec 2, 2025 PoC Published
- Dec 2, 2025 PoC Published
- Dec 14, 2025 CVE Published
- Dec 15, 2025 EPSS Score
- Dec 15, 2025 CVE Updated
- Dec 19, 2025 EPSS Score
- Dec 23, 2025 EPSS Score
- Dec 27, 2025 EPSS Score
- Dec 31, 2025 EPSS Score
References
- https://github.com/kubernetes/kubernetes/issues/135525 url
- https://groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJ mailing-list
- http://www.openwall.com/lists/oss-security/2025/12/01/4 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-13281 advisory
- https://github.com/kubernetes/kubernetes/commit/7506ce804c20696ba32cdb72126270ceaed06e24 url
- https://github.com/kubernetes/kubernetes/commit/97650c1c4fe15cbb7756ba95b3edc8a8665063ca url
- https://github.com/kubernetes/kubernetes/commit/dbe17dfe7773563eac95534040f413ada6d2b421 url
- https://github.com/advisories/GHSA-r6j8-c6r2-37rr advisory
- https://github.com/kubernetes/kubernetes package