VDB

CVE-2025-13281

CVE-2025-13281 PUBLISHED CVSS 5.800000190734863 MEDIUM

A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).

EPSS 0.01% · 1.5th percentile

Risk Scores

CVSS 3.1
5.800000190734863
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
EPSS Score
0.01%
1.5th percentile

Affected Products

VendorProductVersions
KubernetesKubernetes1.33.0, v1.31.0, v1.32.0
k8s.iokubernetes1.33.0-alpha.0, 1.34.0-alpha.0, 0

Timeline

  • Nov 16, 2025 CVE ID Reserved
  • Dec 1, 2025 PoC Published
  • Dec 1, 2025 PoC Published
  • Dec 2, 2025 PoC Published
  • Dec 2, 2025 PoC Published
  • Dec 14, 2025 CVE Published
  • Dec 15, 2025 EPSS Score
  • Dec 15, 2025 CVE Updated
  • Dec 19, 2025 EPSS Score
  • Dec 23, 2025 EPSS Score
  • Dec 27, 2025 EPSS Score
  • Dec 31, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›