1. Vulnerability Overview: CVE-2025-22870 (SNYK-CHAINGUARDLATEST-TERRAFORMPROVIDERKUBERNETES-9573009)

CVE-2025-22870 is a security vulnerability affecting the terraform-provider-kubernetes module, which is commonly used to manage Kubernetes resources through HashiCorp’s Infrastructure-as-Code (IaC) tool, Terraform.

What is the issue?

This vulnerability is related to proxy bypass mechanisms and how certain IPv6 address formats are interpreted by the proxy configuration logic. Specifically, the issue lies in how NO_PROXY (or no_proxy) environment variables are matched against hostnames.

Due to a misinterpretation, IPv6 addresses containing a zone identifier (e.g., %eth0, %25.example.com) can circumvent intended proxy rules. This can lead to requests being sent directly to the destination without passing through security filters such as outbound proxies or network monitoring systems.

Technical Insight:

When NO_PROXY is set to a domain pattern like *.example.com, a request to [::1%25.example.com]:80 should ideally not match this rule. However, due to flawed parsing logic, the request is considered valid for direct access—bypassing the proxy layer altogether.

Affected Versions:

  • terraform-provider-kubernetes versions prior to 2.36.0-r1
  • This includes hardened container images provided by Chainguard
  • Upgrade to terraform-provider-kubernetes v2.36.0-r1 or newer
  • Consider implementing additional egress controls at the network layer to enforce outbound security regardless of application-level proxy configurations

2. Attack Scenario: Proxy Bypass Enables Undetected API Intrusion

Scenario Title:

"Insider Threat in the Cloud: Circumventing Proxies to Breach Kubernetes"

Context:

An enterprise manages its Kubernetes infrastructure via Terraform. Outbound traffic from build and automation environments is tightly controlled through a centralised proxy. All traffic to the Kubernetes API is expected to be routed and monitored through this proxy for security and audit compliance.

Threat Actor:

An internal DevOps engineer with residual Terraform access plans to create a backdoor. Although the individual has limited privileges post-departure, outdated deployment pipelines still reference an older, vulnerable version of terraform-provider-kubernetes.

Stages of the Attack:

  1. Setup: The engineer intentionally uses a vulnerable version of the provider and leverages the NO_PROXY environment variable configured with rules like *.internal.company.com.
  2. Exploit: A specially crafted IPv6 address, such as [::1%25.internal.company.com]:443, is used. Due to the vulnerability, the address bypasses the proxy even though it shouldn't, and connects directly to the Kubernetes API server.
  3. Payload Delivery: Using Terraform, a malicious Pod is created with embedded reverse shell capabilities or access to sensitive mounted volumes.
  4. Stealth: Because the traffic bypasses the proxy, no logs are generated, and the incident remains undetected by SOC teams or logging platforms.

Consequences:

  • The attacker establishes a persistent backdoor within the cluster.
  • Monitoring and proxy enforcement mechanisms are effectively neutralised.
  • If undetected, this can lead to further compromise: data exfiltration, privilege escalation, or lateral movement within the infrastructure.