Hello Kubernetes Community, A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
The in-tree Portworx StorageClass has been disabled by default starting in version v1.31 from the CSIMigrationPortworx feature gate. As a result, currently supported versions greater than or equal to v1.32 are not impacted unless the CSIMigrationPortworx feature gate is disabled with an override. This issue has been rated Medium (5.8) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N <https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N>, and assigned CVE-2025-13281. Am I vulnerable? You may be vulnerable if all of the following are true: - You are running a vulnerable version and have manually disabled the CSIMigrationPortworx feature gate. - There are unprotected endpoints normally only visible from the control plane’s host network (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the control plane’s private network). - Untrusted users can create pods with the affected Portworx volume type. Affected Versions The CSIMigrationPortworx feature gate was enabled by default starting on version v1.31. As a result, EOL versions <= v1.30 are more likely to be vulnerable because the CSIMigrationPortworx feature is disabled by default. - kube-controller-manager: <= v1.30.14 - kube-controller-manager: <= v1.31.14 - kube-controller-manager: <= v1.32.9 - kube-controller-manager: <= v1.33.5 - kube-controller-manager: <= v1.34.1 How do I mitigate this vulnerability? This issue can be mitigated by upgrading to a fixed kube-controller-manager version or by enabling the CSIMigrationPortworx feature gate (if it was overridden from its default value in versions greater than equal to v1.31). Fixed Versions - kube-controller-manager: >= v1.32.10 - kube-controller-manager: >= v1.33.6 - kube-controller-manager: >= v1.34.2 Detection This issue can be detected on clusters which have the CSIMigrationPortworx feature gate disabled on impacted versions by analyzing ProvisioningFailed events from kube-controller-manager which may contain sensitive information from the control plane’s host network. If you find evidence that this vulnerability has been exploited, please contact [email protected] Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/135525 Acknowledgements The issue was fixed and coordinated by: Ankit Gohil @gohilankit Thank You, Nathan Herz on behalf of the Kubernetes Security Response Committee
