Authentication Vulnerability in kgateway API and AI Gateway by kgateway
CVE-2025-64323

5.3MEDIUM

Key Information:

Vendor

Kgateway-dev

Status
Kgateway
Vendor
CVE Published:
7 November 2025

What is CVE-2025-64323?

kgateway, a Cloud-Native API and AI Gateway, has an authentication vulnerability in versions 2.0.4 and below, as well as in specific versions of 2.1.0. This flaw allows unauthorized clients with unrestricted network access to interact with the xDS port, enabling them to access sensitive configuration data. This includes potentially confidential information such as certificate data, backend service details, routing rules, and cluster metadata. To mitigate this issue, users are advised to upgrade to version 2.0.5 or higher, or to the stable release of 2.1.0.

Affected Version(s)

kgateway >= 2.1.0-agw-cel-rbac, < 2.1.0 < 2.1.0-agw-cel-rbac, 2.1.0

kgateway < 2.0.5 < 2.0.5

References

https://github.com/kgateway-dev/kgateway/security/advisor...
x_refsource_CONFIRM
https://github.com/kgateway-dev/kgateway/issues/10651
x_refsource_MISC
https://github.com/kgateway-dev/kgateway/pull/12471
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64323 : Authentication Vulnerability in kgateway API and AI Gateway by kgateway