[Security Advisory] CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager

Security_k8s.io · December 1, 2025, 5:22pm

Hello Kubernetes Community,

A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).

The in-tree Portworx StorageClass has been disabled by default starting in version v1.31 from the CSIMigrationPortworx feature gate. As a result, currently supported versions greater than or equal to v1.32 are not impacted unless the CSIMigrationPortworx feature gate is disabled with an override.

This issue has been rated Medium (5.8) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N, and assigned CVE-2025-13281.

Am I vulnerable?

You may be vulnerable if all of the following are true:

You are running a vulnerable version and have manually disabled the CSIMigrationPortworx feature gate.
There are unprotected endpoints normally only visible from the control plane’s host network (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the control plane’s private network).
Untrusted users can create pods with the affected Portworx volume type.

Affected Versions

The CSIMigrationPortworx feature gate was enabled by default starting on version v1.31. As a result, EOL versions <= v1.30 are more likely to be vulnerable because the CSIMigrationPortworx feature is disabled by default.

kube-controller-manager: <= v1.30.14
kube-controller-manager: <= v1.31.14
kube-controller-manager: <= v1.32.9
kube-controller-manager: <= v1.33.5
kube-controller-manager: <= v1.34.1

How do I mitigate this vulnerability?

This issue can be mitigated by upgrading to a fixed kube-controller-manager version or by enabling the CSIMigrationPortworx feature gate (if it was overridden from its default value in versions greater than equal to v1.31).

Fixed Versions

kube-controller-manager: >= v1.32.10
kube-controller-manager: >= v1.33.6
kube-controller-manager: >= v1.34.2

Detection

This issue can be detected on clusters which have the CSIMigrationPortworx feature gate disabled on impacted versions by analyzing ProvisioningFailed events from kube-controller-manager which may contain sensitive information from the control plane’s host network.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Additional Details

See the GitHub issue for more details: CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager · Issue #135525 · kubernetes/kubernetes · GitHub

Acknowledgements

The issue was fixed and coordinated by:

Ankit Gohil @gohilankit

Thank You,

Nathan Herz on behalf of the Kubernetes Security Response Committee

Topic		Replies	Views
[Security Advisory] CVE-2020-8555: Half-Blind SSRF in kube-controller-manager Announcements security	0	1349	June 1, 2020
[Security Advisory] CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API Announcements	0	386	February 13, 2025
[ANNOUNCE] CVE-2019-11253: denial of service vulnerability from malicious YAML or JSON payloads Announcements cve	0	3909	October 16, 2019
[Security Advisory] CVE-2022-3162: Unauthorized read of Custom Resources Announcements	0	1041	November 10, 2022
[Security Advisory] [CSI snapshot-controller] CVE-2020-8569: snapshot-controller DoS Announcements security , cve	1	1266	December 15, 2020

[Security Advisory] CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager

Related topics