chore(deps): update module github.com/containernetworking/plugins to v1.9.0 [security] (main)

[redhat-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
github.com/containernetworking/plugins	require	minor	v1.8.0 -> v1.9.0

---

CNA Plugins Portmap nftables backend can intercept non-local traffic

CVE-2025-67499 / GHSA-jv3w-x3r3-g6rm / GO-2025-4222

More information

Details

Background

The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. For example, if a host has the IP 198.51.100.42, a container may request that all packets to 198.51.100.42:53 be forwarded to the container's network.

Vulnerability

When the portmap plugin is configured with the nftables backend, it inadvertently forwards all traffic with the same destination port as the host port, ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node.

In the given example above, traffic destined to port 53 but for a separate container would still be captured and forwarded, even though it was not destined for the host.

Impact

Containers (i.e. kubernetes pods) that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. (The iptables backend is the default.)

Patches

This is fixed as of CNI plugins v1.9.0

Workarounds

Configure the portmap plugin to use the iptables backend. It does not have this vulnerability.

Severity

• CVSS Score: 6.6 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

References

• https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm
• https://nvd.nist.gov/vuln/detail/CVE-2025-67499
• https://github.com/containernetworking/plugins/pull/1210
• https://github.com/containernetworking/plugins/commit/9b3772e1a7abf93cbb7c6526a28bc0d27b830e02
• https://github.com/containernetworking/plugins
• https://github.com/containernetworking/plugins/releases/tag/v1.9.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

CNA Plugins Portmap nftables backend can intercept non-local traffic in github.com/containernetworking/plugins

CVE-2025-67499 / GHSA-jv3w-x3r3-g6rm / GO-2025-4222

More information

Details

CNA Plugins Portmap nftables backend can intercept non-local traffic in github.com/containernetworking/plugins

Severity

Unknown

References

• https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm
• https://nvd.nist.gov/vuln/detail/CVE-2025-67499
• https://github.com/containernetworking/plugins/commit/9b3772e1a7abf93cbb7c6526a28bc0d27b830e02
• https://github.com/containernetworking/plugins/pull/1210
• https://github.com/containernetworking/plugins/releases/tag/v1.9.0

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

containernetworking/plugins (github.com/containernetworking/plugins)

v1.9.0: CNI plugins v1.9.0

Compare Source

What's Changed

This release fixes CVE-2025-67499, a bug in the nftables backend for the portmap plugin that can cause traffic to be unexpectedly intercepted.

Bugs

• portmap: ensure nftables backend only intercept local traffic by @​champtar in #​1210.

Other changes

• Fix file exists errro in dummy cni by @​liuyuan10 in #​1205
• Ignore settling with down state since it would never settle by @​bn222 in #​1207

Full Changelog: containernetworking/plugins@v1.8.0...v1.9.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: redhat-renovate-bot
Once this PR has been reviewed and has the lgtm label, please assign schseba for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the github.com/containernetworking/plugins dependency to version v1.9.0. This update is crucial as it incorporates a security fix for CVE-2025-67499, which resolves an issue where the portmap plugin's nftables backend could inadvertently intercept non-local network traffic. The update also includes a minor bug fix related to network address settling.

Highlights

• Dependency Update: Updated the github.com/containernetworking/plugins module from v1.8.0 to v1.9.0.
• Security Fix: Addressed CVE-2025-67499, a vulnerability in the CNI portmap plugin's nftables backend that could allow interception of non-local traffic.
• Bug Fix: Included a fix in addr_linux.go to prevent indefinite waiting for tentative addresses on a down network interface.

Changelog

• go.mod
  • Updated the required version of github.com/containernetworking/plugins to v1.9.0.
• go.sum
  • Updated the cryptographic checksums for the github.com/containernetworking/plugins module.
• vendor/github.com/containernetworking/plugins/pkg/ip/addr_linux.go
  • Modified the SettleAddresses function to check the operational state of a network link before returning an error for tentative addresses, preventing an infinite wait if the link is down.
• vendor/modules.txt
  • Updated the commented version of github.com/containernetworking/plugins to v1.9.0.

Activity

• This pull request was automatically generated by redhat-renovate-bot to update a dependency.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the github.com/containernetworking/plugins module from v1.8.0 to v1.9.0. This update addresses the security vulnerability CVE-2025-67499 related to the portmap nftables backend. The file modifications in go.mod, go.sum, and the vendor directory are all consequences of this dependency upgrade. The changes appear correct for the intended version bump.