QwikSec

Security Database

CVE

CWE

Training

CVE-2025-64323

Published: Nov 7, 2025

Modified: Nov 7, 2025

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0.

Vendor	Product	Versions
kgateway-dev	kgateway	affected `>= 2.1.0-agw-cel-rbac, < 2.1.0` affected `< 2.0.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r

x_refsource_CONFIRM

https://github.com/kgateway-dev/kgateway/issues/10651

x_refsource_MISC

https://github.com/kgateway-dev/kgateway/pull/12471

x_refsource_MISC

https://github.com/kgateway-dev/kgateway/pull/12535

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.