Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-hqrf-67pm-wgfq

Omni Wireguard SideroLink potential escape

Also known asCVE-2025-59824GO-2025-3979
Published
Sep 24, 2025
Updated
Oct 23, 2025
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.2%probability of exploitation in next 30 days
Lower Risk8th percentile+0.15%
0.00%0.23%0.45%0.68%0.1%0.2%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐹github.com/siderolabs/omni

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Overview

Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authorize access.

In this setup, Omni assigns a random IPv6 address to each Talos machine from a /64 network block. Omni itself uses the fixed ::1 address within that same block.

From Omni's perspective, this is a WireGuard interface with multiple peers, where each peer corresponds to a Talos machine. The WireGuard interface on Omni is configured to ensure that the source IP address of an incoming packet matches the IPv6 address assigned to the Talos peer. However, it performs no validation on the packet's destination address.

The Talos end of the SideroLink connection cannot be considered a trusted environment. Workloads running on Kubernetes, especially those configured with host networking, could gain direct access to this link. Therefore, a malicious workload could theoretically send arbitrary packets over the SideroLink interface.

Impact

This vulnerability creates two distinct attack scenarios based on Omni's IP forwarding configuration.

  1. IP Forwarding Disabled (Default) If IP forwarding is disabled, an attacker on a Talos machine can send packets over SideroLink to any listening service on Omni itself (e.g., an internal API). If Omni is running in host networking mode, any service on the host machine could also be targeted. While this is the default configuration, Omni does not enforce it.

  2. IP Forwarding Enabled If IP forwarding is enabled, an attacker on a Talos machine can communicate with other machines connected to Omni or route packets deeper into Omni's network. Although this is not the default configuration, Omni does not check for or prevent this state.

Patches

The problem has been fixed in Omni >= 0.48.0, the commit is https://github.com/siderolabs/omni/commit/a5efd816a239e6c9e5ea7c0d43c02c04504d7b60

Workarounds

Disable IP forwarding, implement strict firewall rules.

References

None

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/siderolabs/omniall versions0.48.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/siderolabs/omni. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/siderolabs/omni to 0.48.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-hqrf-67pm-wgfq is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-hqrf-67pm-wgfq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-hqrf-67pm-wgfq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Overview Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authorize access. In this setup, Omni assigns a random IPv6 address to each Talos machine from a `/64` network block. Omni itself uses the fixed `::1` address within that same block. From Omni's perspective, this is a WireGuard interface with multiple peers, where each peer corresponds to a Talos machine. The WireGuard interface on Omni is configured to ensure that the **source IP address** of an incoming packet matches the IPv6 address assigned to the Ta
O3 Security · Impact-Aware SCA

Is GHSA-hqrf-67pm-wgfq in your dependencies?

O3 detects GHSA-hqrf-67pm-wgfq across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works