fix(deps): update module github.com/cilium/cilium to v1.16.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cilium/cilium	v1.16.5 -> v1.16.6

GitHub Vulnerability Alerts

CVE-2025-23047

Impact

For users who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart, an insecure default Access-Control-Allow-Origin header value could lead to sensitive data exposure. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring, including node names, IP addresses, and other metadata about workloads and the cluster networking configuration. In order for this vulnerability to be exploited, a victim would have to first visit a malicious page.

Patches

This issue was patched in cilium/cilium@a3489f1

This issue affects:

• Cilium between v1.14.0 and v1.14.18 inclusive
• Cilium between v1.15.0 and v1.15.12 inclusive
• Cilium between v1.16.0 and v1.16.5 inclusive

This issue is patched in:

• Cilium v1.14.19
• Cilium v1.15.13
• Cilium v1.16.6

Workarounds

Users who deploy Hubble UI using the Cilium Helm chart directly can remove the CORS headers from the Helm template as shown in the patch.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​ciffelia for reporting this issue and to @​geakstr for the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.16.6: 1.16.6

Compare Source

Summary of Changes

Major Changes:

• Add feature tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​35852, @​aanm)
• Add feature tracking in Cilium Operator as prometheus metrics (Backport PR #​36263, Upstream PR #​36077, @​aanm)

Minor Changes:

• envoy: Use yaml format for bootstrap config (Backport PR #​36782, Upstream PR #​36820, @​sayboras)
• Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs (#​36561, @​pippolo84)
• service: Cap number of backends included in monitor message (Backport PR #​36635, Upstream PR #​36394, @​joamaki)

Bugfixes:

• cilium: LB source ranges fixes (Backport PR #​36635, Upstream PR #​36517, @​borkmann)
• eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (Backport PR #​36872, Upstream PR #​36617, @​sderoe)
• envoy: Configure internal address config based on IP family (Backport PR #​36782, Upstream PR #​36733, @​sayboras)
• Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (Backport PR #​36635, Upstream PR #​36176, @​tamilmani1989)
• metrics/features: remove reporting metrics' defaults by default (Backport PR #​36263, Upstream PR #​36298, @​aanm)
• pkg/redirectpolicy: Fix backend slices in processConfig (Backport PR #​36872, Upstream PR #​35496, @​Sm0ckingBird)
• ui: drop CORS headers from api response (Backport PR #​36872, Upstream PR #​35762, @​geakstr)

CI Changes:

• [v1.16] .github: Remove CI Fuzz workflow (#​36641, @​joestringer)
• [v1.16] gh: e2e-upgrade: use 6.12 kernel for netkit test configs (#​36620, @​julianwiedmann)
• [v1.16] gha: use /test to trigger tests in stable branches (#​36673, @​giorio94)
• ci: fix job names for various ci workflows (Backport PR #​36263, Upstream PR #​36397, @​marseel)
• Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport PR #​36872, Upstream PR #​33398, @​giorio94)
• gh: e2e-upgrade: add coverage for 6.6 kernel (Backport PR #​36988, Upstream PR #​36626, @​julianwiedmann)
• gh: e2e-upgrade: de-renovate the config example (Backport PR #​36635, Upstream PR #​36463, @​julianwiedmann)
• gha: drop leftover token parameter in net-perf-gke workflow (#​36684, @​giorio94)
• gha: fix merging of features-related artifacts (#​36665, @​giorio94)
• gha: merge artifacts in net-perf-gke workflow (Backport PR #​36263, Upstream PR #​36236, @​giorio94)
• gha: Use ubuntu-24.04 for integration-test (Backport PR #​36659, Upstream PR #​36628, @​sayboras)

Misc Changes:

• .github/workflows: always install cilium-cli (Backport PR #​36263, Upstream PR #​36234, @​aanm)
• .github/workflows: do not fail ginkgo if unable to fetch features (Backport PR #​36263, Upstream PR #​36461, @​aanm)
• .github: fix conformance-k8s NP test (Backport PR #​36263, Upstream PR #​36355, @​aanm)
• [v1.16] Use bash syntax to consume env variable (#​36636, @​ferozsalam)
• Add more features tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​36078, @​aanm)
• Add policy-related features tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​36203, @​aanm)
• Add the tls:// prefix in the Hubble TLS doc (Backport PR #​36635, Upstream PR #​36410, @​liyihuang)
• chore(deps): update all github action dependencies (v1.16) (#​36612, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36762, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36950, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37099, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​36760, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36707, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36787, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36949, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37033, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.16) (#​36895, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.36.1 docker digest to 7c3c3ce (v1.16) (#​36609, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.10 docker digest to 1a6e657 (v1.16) (#​36850, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.10 docker digest to 9855006 (v1.16) (#​36610, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.11 (v1.16) (#​37045, @​cilium-renovate[bot])
• chore(deps): update helm/kind-action action to v1.12.0 (v1.16) (#​36839, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36611, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36699, @​cilium-renovate[bot])
• doc: fix typo on kubeproxy-free (CEV -> CVE) (Backport PR #​36872, Upstream PR #​36701, @​alagoutte)
• docs: Add missing default identity label in the description of identity-relevant labels' example (Backport PR #​36635, Upstream PR #​36558, @​liyihuang)
• docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport PR #​36635, Upstream PR #​36549, @​verysonglaa)
• Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (Backport PR #​36635, Upstream PR #​36417, @​EricMountain)
• Fix make -C Documentation update-cmdref when make uses --jobserver-style=fifo. (Backport PR #​36872, Upstream PR #​36788, @​gentoo-root)
• fix(deps): update module golang.org/x/net to v0.33.0 [security] (v1.16) (#​36711, @​cilium-renovate[bot])
• ingress, gateway-api: Convert test fixtures to file based (Backport PR #​36782, Upstream PR #​36732, @​sayboras)
• metrics/features: enable ClusterMesh (Backport PR #​36263, Upstream PR #​36402, @​aanm)
• metrics/features: refactor metric names (Backport PR #​36263, Upstream PR #​36209, @​aanm)
• Prepare for release v1.16.6 (#​36989, @​cilium-release-bot[bot])
• Remove reference to DNS polling (Backport PR #​36872, Upstream PR #​36679, @​JacobHenner)

Other Changes:

• [v1.16] author backport: helm: avoid setting bpf-lb-sock-terminate-pod-connections (#​36650, @​ysksuzuki)
• install: Update image digests for v1.16.5 (#​36671, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.6@​sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
quay.io/cilium/cilium:stable@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.6@​sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a
quay.io/cilium/clustermesh-apiserver:stable@sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a

docker-plugin

quay.io/cilium/docker-plugin:v1.16.6@​sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66
quay.io/cilium/docker-plugin:stable@sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66

hubble-relay

quay.io/cilium/hubble-relay:v1.16.6@​sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
quay.io/cilium/hubble-relay:stable@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.6@​sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9
quay.io/cilium/operator-alibabacloud:stable@sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9

operator-aws

quay.io/cilium/operator-aws:v1.16.6@​sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d
quay.io/cilium/operator-aws:stable@sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d

operator-azure

quay.io/cilium/operator-azure:v1.16.6@​sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd
quay.io/cilium/operator-azure:stable@sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd

operator-generic

quay.io/cilium/operator-generic:v1.16.6@​sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
quay.io/cilium/operator-generic:stable@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc

operator

quay.io/cilium/operator:v1.16.6@​sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46
quay.io/cilium/operator:stable@sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: KubeArmor/go.sum

Command failed: install-tool golang 1.22.11