SCA: security update for github.com/neuvector/neuvector (GHSA-qqj3-g7mx-5p4w)

high Tenable Cloud Security Plugin ID 435705

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is
enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In
affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous
cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-
middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally,
NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which
makes it vulnerable to a Denial of Service(DoS) attack (CVE-2025-54470)

See Also

https://github.com/advisories/GHSA-qqj3-g7mx-5p4w

Plugin Details

Severity: High

ID: 435705

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 10/22/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.71

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C

CVSS Score Source: CVE-2025-54470

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/21/2025

Vulnerability Publication Date: 10/21/2025

Reference Information

CVE: CVE-2025-54470