Affected by GO-2024-2568
and 16 other vulnerabilities
GO-2024-2568: Unencrypted ingress/health traffic when using Wireguard transparent encryption in github.com/cilium/cilium
GO-2024-2569: Unencrypted traffic between pods when using Wireguard and an external kvstore in github.com/cilium/cilium
GO-2024-2653: HTTP policy bypass in github.com/cilium/cilium
GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium
GO-2024-2657: Unencrypted traffic between nodes with WireGuard in github.com/cilium/cilium
GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium
GO-2024-2922: Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium
GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium
GO-2024-3208: Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present in github.com/cilium/cilium
GO-2025-3415: DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium
GO-2025-3416: Cilium has an information leakage via insecure default Hubble UI CORS header in github.com/cilium/cilium
GO-2025-3635: In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters in github.com/cilium/cilium
GO-2025-4167: Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic in Ciliumgithub.com/cilium/cilium
GO-2026-4856: Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic in github.com/cilium/cilium
GO-2026-5400: Cillium exposes sensitive information included in the cilium-bugtool debug archive in github.com/cilium/cilium
GO-2026-5905: Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access in github.com/cilium/cilium
GO-2026-5914: CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation in github.com/cilium/cilium
CombinedOutput runs the command and returns its combined standard output and
standard error. Unlike the standard library, if the context is exceeded, it
will return an error indicating so.
Logs any errors that occur to the specified logger.
Output runs the command and returns only standard output, but not the
standard error. Unlike the standard library, if the context is exceeded,
it will return an error indicating so.
Logs any errors that occur to the specified logger.