Affected by GO-2025-3415
and 5 other vulnerabilities
GO-2025-3415: DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium
GO-2025-3416: Cilium has an information leakage via insecure default Hubble UI CORS header in github.com/cilium/cilium
GO-2025-3560: Cilium East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers in github.com/cilium/cilium
GO-2025-3561: Cilium node based network policies may incorrectly allow workload traffic in github.com/cilium/cilium
GO-2025-3635: In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters in github.com/cilium/cilium
GO-2025-4167: Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic in Ciliumgithub.com/cilium/cilium
CheckOrMountCgrpFS this checks if the cilium cgroup2 root mount point is
mounted and if not mounts it. If mapRoot is "" it will mount the default
location. It is harmless to have multiple cgroupv2 root mounts so unlike
BPFFS case we simply mount at the cilium default regardless if the system
has another mount created by systemd or otherwise.
Affected by 
Documentation
¶
Source Files
Directories