Severity
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L/E:P/RL:O/RC:C/MAV:N/MAC:L/MPR:L/MUI:R/MS:C/MC:H
Vendor
CloudFoundry Foundation
Versions Affected
- Routing release: v0.118.0 to v0.371.0
- CF Deployment: v0.0.2 to v54.14.0
Description
Route Services can be leveraged to send app traffic to network destinations outside of an app’s configured egress rules. As a result, a malicious developer with access to Cloudfoundry could configure a route-service that would allow it to send requests to HTTP services on internal networks reachable by the Gorouter, which may not have previously had direct access from outside networks, or from the application.
Affected Cloud Foundry Products and Versions
- Routing release
-
- All versions from v0.118.0 to v0.371.0 (inclusive)
- CF Deployment
-
- All versions from v0.0.2 to v54.14.0 (inclusive)
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
- Routing release
-
- Upgrade routing_release versions to v0.372.0 or greater
- CF Deployment
-
- Upgrade cf-deployment version to v55.0.0 or greater
-
-
- Includes routing_release v0.372.0
-
Credit
Found and reported by the SAP
History
Apr 20, 2026: Initial vulnerability report published
