CVE-2025-13281

MEDIUM

Kubernetes <1.32.10, 1.30.0-1.30.13, 1.31.0-1.31.13, 1.32.0-1.32.8, 1.33.0-1.33.4, 1.34.0 SSRF via Portworx StorageClass

Title source: llm

Description

A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2025/12/01/4

Issue Tracking issue-tracking

https://github.com/kubernetes/kubernetes/issues/135525

Mailing List mailing-list

https://groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJ

Scores

CVSS v3 5.8

EPSS 0.0036

EPSS Percentile 27.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (6)

k8s.io/kubernetes 0 - 1.32.10Go

Kubernetes/Kubernetes v1.30.0 - v1.30.14

Kubernetes/Kubernetes v1.31.0 - v1.31.14

Kubernetes/Kubernetes v1.32.0 - v1.32.9

Kubernetes/Kubernetes v1.33.0 - v1.33.5

Kubernetes/Kubernetes v1.34.0 - v1.34.1

Published Dec 14, 2025

Tracked Since Feb 18, 2026