CVE-2025-54470

HIGH

NeuVector 5.3.0-5.3.4, 5.4.0-5.4.6 - Certificate Validation Bypass and DoS via Telemetry

Title source: llm

Description

This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally, NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which makes it vulnerable to a Denial of Service(DoS) attack

References (2)

Core 2

Core References

Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54470

Vendor Advisory

https://github.com/neuvector/neuvector/security/advisories/GHSA-qqj3-g7mx-5p4w

Scores

CVSS v3 8.6

EPSS 0.0017

EPSS Percentile 6.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (6)

neuvector/neuvector 0.0.0-20230727023453-1c4957d53911 - 0.0.0-20251020133207-084a437033b4Go

neuvector/neuvector 5.3.0 - 5.3.5Go

neuvector/neuvector 5.4.0 - 5.4.7Go

SUSE/neuvector 0.0.0-20230727023453-1c4957d53911 - 0.0.0-20251020133207-084a437033b4

SUSE/neuvector 5.3.0 - 5.3.5

SUSE/neuvector 5.4.0 - 5.4.7

Published Oct 30, 2025

Tracked Since Feb 18, 2026