logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-48056 github.com/cilium/hubble

Package

Manager: go
Name: github.com/cilium/hubble
Vulnerable Version: >=0 <1.17.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00046 pctl0.1341

Details

Character injection in Hubble CLI ### Impact A network attacker could inject malicious control characters into Hubble CLI terminal output, potentially leading to loss of integrity and manipulation of the output. This could be leveraged to conceal log entries, rewrite output, or even make the terminal temporarily unusable. Exploitation of this attack would require the victim to be monitoring Kafka traffic using [Layer 7 Protocol Visibility](https://docs.cilium.io/en/stable/observability/visibility/#layer-7-protocol-visibility) at the time of the attack. ### Patches This issue affects all versions of Hubble CLI before v1.17.2. The issue is patched in Hubble CLI v1.17.2, via https://github.com/cilium/cilium/pull/37401. ### Workarounds Hubble CLI users who are unable to upgrade can direct their Hubble flows to a log file and inspect the output within a text editor. ### Acknowledgements The Cilium community has worked together with members of Isovalent and the Cisco ASIG team to prepare these mitigations. Special thanks to @bipierce-cisco and @kokelley-cisco for reporting the issue and to @devodev for the fix. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Metadata

Created: 2025-05-21T17:16:19Z
Modified: 2025-05-21T17:16:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-274q-79q9-52j7/GHSA-274q-79q9-52j7.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-274q-79q9-52j7
Finding: F404
Auto approve: 1