The vulnerability CVE-2025-67499 affects the containernetworking portmap plugin, which is responsible for forwarding host ports to containers. In versions 1.6.0 through 1.8.0, when the plugin is configured to use the nftables backend, it improperly forwards all traffic arriving at the host port to the container, ignoring the destination IP address. This means that a container configured to use HostPort forwarding can intercept network traffic intended for other containers on the same node, leading to exposure of sensitive information. The root cause is the plugin's failure to filter traffic by destination IP, causing unintended traffic to be forwarded. This vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Exploitation requires that the attacker have the ability to configure containers with HostPort forwarding and that the portmap plugin uses the nftables backend. The vulnerability does not require user interaction but does require low privileges (PR:L). The impact includes confidentiality and integrity loss, as well as availability impact due to potential traffic interception or disruption. The issue is resolved in version 1.9.0 of the plugin. A practical mitigation is to switch the portmap plugin backend to iptables, which does not have this flaw. No known exploits have been reported in the wild as of now.

For European organizations that deploy containerized applications using containernetworking plugins with HostPort forwarding and the nftables backend, this vulnerability poses a significant risk of sensitive data exposure. Containers could intercept traffic intended for other containers on the same host, potentially leaking confidential information such as internal service communications, credentials, or personal data. This could lead to data breaches, compliance violations (e.g., GDPR), and loss of trust. Additionally, the integrity of network traffic could be compromised, allowing attackers to manipulate or disrupt service communications. The availability of services could also be affected if traffic interception leads to denial of service or degraded performance. Organizations with multi-tenant container environments or those running critical applications on Kubernetes or similar platforms are particularly at risk. The requirement for low privileges to exploit means that insider threats or compromised containers could leverage this vulnerability. The lack of known exploits currently provides a window for proactive mitigation before active attacks emerge.

European organizations should immediately assess their container networking configurations to determine if the portmap plugin is in use with the nftables backend and if HostPort forwarding is enabled. If so, they should upgrade the containernetworking plugins to version 1.9.0 or later, which contains the fix. If upgrading is not immediately feasible, reconfigure the portmap plugin to use the iptables backend as a temporary workaround, as it does not exhibit this vulnerability. Additionally, restrict the use of HostPort forwarding to only trusted containers and minimize privileges granted to containerized workloads to reduce the risk of exploitation. Network segmentation and monitoring should be enhanced to detect unusual traffic patterns indicative of interception attempts. Implement strict container runtime security policies and conduct regular audits of container configurations. Finally, ensure that container orchestration platforms and underlying hosts are patched and hardened to reduce the attack surface.