chore(deps): update module github.com/containernetworking/plugins to v1.9.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/containernetworking/plugins	v1.8.0 -> v1.9.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-67499

Background

The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. For example, if a host has the IP 198.51.100.42, a container may request that all packets to 198.51.100.42:53 be forwarded to the container's network.

Vulnerability

When the portmap plugin is configured with the nftables backend, it inadvertently forwards all traffic with the same destination port as the host port, ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node.

In the given example above, traffic destined to port 53 but for a separate container would still be captured and forwarded, even though it was not destined for the host.

Impact

Containers (i.e. kubernetes pods) that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. (The iptables backend is the default.)

Patches

This is fixed as of CNI plugins v1.9.0

Workarounds

Configure the portmap plugin to use the iptables backend. It does not have this vulnerability.

---

Release Notes

containernetworking/plugins (github.com/containernetworking/plugins)

v1.9.0: CNI plugins v1.9.0

Compare Source

What's Changed

This release fixes CVE-2025-67499, a bug in the nftables backend for the portmap plugin that can cause traffic to be unexpectedly intercepted.

Bugs

• portmap: ensure nftables backend only intercept local traffic by @​champtar in #​1210.

Other changes

• Fix file exists errro in dummy cni by @​liuyuan10 in #​1205
• Ignore settling with down state since it would never settle by @​bn222 in #​1207

Full Changelog: containernetworking/plugins@v1.8.0...v1.9.0

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: renovate[bot]
Once this PR has been reviewed and has the lgtm label, please assign mtrmac for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment