Home > Vulnerability Database > CVE-2025-64323

Mend.io Vulnerability Database

CVE-2025-64323

Good to know:

Date: November 6, 2025

kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0.

Severity Score

5.3

Related Resources (7)

Url: https://github.com/kgateway-dev/kgateway/pull/12535

Url: https://github.com/kgateway-dev/kgateway

Url: https://github.com/kgateway-dev/kgateway/issues/10651

Url: https://github.com/kgateway-dev/kgateway/pull/12471

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64323

Url: https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r

Url: https://www.mend.io/vulnerability-database/CVE-2025-64323

Severity Score

5.3

Weakness Type (CWE)

Missing Authorization

CWE-862

Top Fix

Upgrade Version

Upgrade to version github.com/kgateway-dev/kgateway/v2 - v2.1.0;github.com/kgateway-dev/kgateway/v2 - v2.0.5

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64323

Good to know:

Date: November 6, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?