CVE-2025-54992

MEDIUM

OpenKilda <1.164.0 - Info Disclosure

Title source: llm

Description

OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running. This issue may lead to Information disclosure. This issue has been patched in version 1.164.0.

References (3)

[Vendor Advisory] https://github.com/telstra/open-kilda/security/advisories/GHSA-43rg-6r66-6hr7

[Issue Tracking] https://github.com/telstra/open-kilda/pull/5778

[Patch] https://github.com/telstra/open-kilda/commit/1eddb4983a6287d083e3e99a56dc4c291abd347e

View Patch ZIP pw:eip

Scores

CVSS v4 6.9

EPSS 0.0014

EPSS Percentile 33.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (1)

telstra/open-kilda < 1.164.0

Published Aug 11, 2025

Tracked Since Feb 18, 2026