Affected by GO-2025-3560
and 7 other vulnerabilities
GO-2025-3560: Cilium East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers in github.com/cilium/cilium
GO-2025-3561: Cilium node based network policies may incorrectly allow workload traffic in github.com/cilium/cilium
GO-2025-3635: In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters in github.com/cilium/cilium
GO-2025-4167: Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic in Ciliumgithub.com/cilium/cilium
GO-2026-4856: Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic in github.com/cilium/cilium
GO-2026-5400: Cillium exposes sensitive information included in the cilium-bugtool debug archive in github.com/cilium/cilium
GO-2026-5905: Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access in github.com/cilium/cilium
GO-2026-5914: CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation in github.com/cilium/cilium
const (
// ProxyTypeAny represents the case where no proxy type is provided. ProxyTypeAny ProxyType = ""
// ProxyTypeHTTP specifies the Envoy HTTP proxy type ProxyTypeHTTP ProxyType = "http"
// ProxyTypeDNS specifies the staticly configured DNS proxy type ProxyTypeDNS ProxyType = "dns"
// ProxyTypeCRD specifies a proxy configured via CiliumEnvoyConfig CRD ProxyTypeCRD ProxyType = "crd"
DNSProxyName = "cilium-dns-egress"
)