The vulnerability CVE-2025-67499 affects the containernetworking portmap plugin, which is responsible for forwarding host ports to containers. In versions 1.6.0 through 1.8.0, when the plugin is configured to use the nftables backend, it incorrectly forwards all traffic destined for the host port to the container requesting HostPort forwarding, regardless of the destination IP address. This behavior causes containers to receive traffic not intended for them, including traffic meant for other containers on the same host. The root cause is that the nftables backend implementation does not properly filter traffic by destination IP, leading to unintended exposure of network traffic. Exploiting this vulnerability requires that the attacker has the ability to configure or run containers with HostPort forwarding enabled and that the portmap plugin uses the nftables backend. The vulnerability can lead to unauthorized exposure of sensitive information (CWE-200) and potentially impact the integrity and availability of services due to traffic interception or disruption. The issue is resolved in version 1.9.0 of the plugin. As a workaround, users can configure the portmap plugin to use the iptables backend, which does not exhibit this vulnerability. There are no known exploits in the wild as of the publication date, but the medium CVSS score of 6.6 reflects the moderate risk due to required privileges and local access. The vulnerability impacts containerized environments that rely on the containernetworking plugins for port forwarding, which are common in cloud-native deployments and Kubernetes clusters.

For European organizations, this vulnerability poses a risk primarily to containerized applications that use the containernetworking portmap plugin with the nftables backend. Confidentiality is at risk because containers can intercept network traffic not intended for them, potentially exposing sensitive data such as internal service communications or customer information. Integrity and availability may also be affected if intercepted traffic is manipulated or if services experience disruptions due to misrouted traffic. Organizations running multi-tenant or shared container environments are particularly vulnerable, as attackers could exploit this to access data from other tenants. Critical sectors such as finance, healthcare, and government that rely heavily on containerized infrastructure could face data breaches or service outages. The requirement for local privileges limits remote exploitation, but insider threats or compromised containers could leverage this vulnerability. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Overall, the vulnerability could undermine trust in container security and complicate compliance with data protection regulations like GDPR if sensitive data is exposed.

European organizations should prioritize upgrading the containernetworking portmap plugin to version 1.9.0 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, reconfigure the portmap plugin to use the iptables backend instead of nftables, as this backend is not affected by the vulnerability. Conduct thorough audits of container configurations to identify any use of HostPort forwarding with the vulnerable plugin versions and nftables backend. Implement strict access controls to limit which users or services can deploy containers with HostPort forwarding enabled. Monitor network traffic on host ports for unusual patterns that could indicate interception or misrouting. Employ network segmentation and container isolation best practices to reduce the impact scope if exploitation occurs. Regularly update container orchestration platforms and plugins to incorporate security patches. Finally, educate DevOps and security teams about this vulnerability to ensure awareness and prompt remediation.