CVE-2025-59824

{"id": "CVE-2025-59824", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 0.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-09-24T20:15:33.343", "references": [{"url": "https://github.com/siderolabs/omni/commit/a5efd816a239e6c9e5ea7c0d43c02c04504d7b60", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siderolabs/omni/security/advisories/GHSA-hqrf-67pm-wgfq", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authorize access. The WireGuard interface on Omni is configured to ensure that the source IP address of an incoming packet matches the IPv6 address assigned to the Talos peer. However, it performs no validation on the packet's destination address. The Talos end of the SideroLink connection cannot be considered a trusted environment. Workloads running on Kubernetes, especially those configured with host networking, could gain direct access to this link. Therefore, a malicious workload could theoretically send arbitrary packets over the SideroLink interface. This issue has been patched in version 0.48.0."}, {"lang": "es", "value": "Omni gestiona Kubernetes en hardware dedicado (bare metal), m\u00e1quinas virtuales o en la nube. Antes de la versi\u00f3n 0.48.0, Omni Wireguard SideroLink tiene el potencial de escapar. Omni y cada m\u00e1quina Talos establecen una conexi\u00f3n SideroLink de punto a punto (P2P) utilizando WireGuard para autenticar y autorizar el acceso mutuamente. La interfaz WireGuard en Omni est\u00e1 configurada para asegurar que la direcci\u00f3n IP de origen de un paquete entrante coincida con la direcci\u00f3n IPv6 asignada al par Talos. Sin embargo, no realiza ninguna validaci\u00f3n en la direcci\u00f3n de destino del paquete. El extremo Talos de la conexi\u00f3n SideroLink no puede considerarse un entorno de confianza. Las cargas de trabajo que se ejecutan en Kubernetes, especialmente aquellas configuradas con redes de host (host networking), podr\u00edan obtener acceso directo a este enlace. Por lo tanto, una carga de trabajo maliciosa podr\u00eda, en teor\u00eda, enviar paquetes arbitrarios a trav\u00e9s de la interfaz SideroLink. Este problema ha sido parcheado en la versi\u00f3n 0.48.0."}], "lastModified": "2025-12-22T14:09:39.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siderolabs:omni:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "D4CB26E2-9BE2-42BD-8E29-52403A888D68", "versionEndExcluding": "0.48.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}