{"id":"CVE-2025-13281","summary":"Portworx Half-Blind SSRF in kube-controller-manager","details":"A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).","aliases":["GHSA-r6j8-c6r2-37rr","GO-2025-4240"],"modified":"2026-05-18T05:57:23.490177780Z","published":"2025-12-14T21:27:34.786Z","related":["CGA-qpfv-qmrf-52w5","SUSE-SU-2026:0037-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/13xxx/CVE-2025-13281.json","cna_assigner":"kubernetes","cwe_ids":["CWE-918"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/12/01/4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/13xxx/CVE-2025-13281.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13281"},{"type":"REPORT","url":"https://github.com/kubernetes/kubernetes/issues/135525"},{"type":"ARTICLE","url":"https://groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJ"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kubernetes/kubernetes","events":[{"introduced":"7c48c2bd72b9bf5c44d21d7338cc7bea77d0ad2a"},{"last_affected":"9e18483918821121abdf9aa82bc14d66df5d68cd"},{"introduced":"9edcffcde5595e8a5b1a35f88c421764e575afce"},{"last_affected":"5e00b99bac504844579ec74886b6cc5c9611ca19"},{"introduced":"70d3cc986aa8221cd1dfb1121852688902d3bf53"},{"last_affected":"cea7087b31eb788b75934d769a28f058ab309318"},{"introduced":"60a317eadfcb839692a68eab88b2096f4d708f4f"},{"last_affected":"03e764d0394bdff662e960c70d25b3c30d731666"},{"introduced":"f28b4c9efbca5c5c0af716d9f2d5702667ee8a45"},{"last_affected":"93248f9ae092f571eb870b7664c534bfc7d00f03"}],"database_specific":{"extracted_events":[{"introduced":"v1.30.0"},{"last_affected":"v1.30.14"},{"introduced":"v1.31.0"},{"last_affected":"v1.31.14"},{"introduced":"v1.32.0"},{"last_affected":"v1.32.9"},{"introduced":"v1.33.0"},{"last_affected":"v1.33.5"},{"introduced":"v1.34.0"},{"last_affected":"v1.34.1"}],"source":"AFFECTED_FIELD"}}],"versions":["v1.31.14","v1.31.13","v1.33.5","v1.32.9","v1.34.1","v1.34.0","v1.32.8","v1.31.12","v1.33.4","v1.31.11","v1.33.3","v1.32.7","v1.32.6","v1.33.2","v1.31.10","v1.30.14","v1.30.13","v1.31.9","v1.32.5","v1.33.1","v1.33.0","v1.30.12","v1.32.4","v1.31.8","v1.31.7","v1.32.3","v1.30.11","v1.30.10","v1.31.6","v1.32.2","v1.30.9","v1.32.1","v1.31.5","v1.32.0","v1.31.4","v1.30.8","v1.30.7","v1.31.3","v1.30.6","v1.31.2","v1.30.5","v1.31.1","v1.30.4","v1.31.0","v1.30.3","v1.30.2","v1.30.1","v1.30.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-13281.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N"}]}