CRE-2025-0057

Verbose Logging in AWS Network Policy Agent During Policy VerdictsLow

Impact: 3/10

Mitigation: 1/10

CRE-2025-0057View on GitHub

AWSVPC CNILog Noise

Description

- When using AWS Network Policy Agent with VPC CNI addon v1.17.1, the log message `failed to get caller` may appear frequently. - This behavior correlates with policy verdicts being evaluated, and the volume increases in environments with higher traffic or more active policies. - The issue does not indicate functional failure, but it increases log volume and may obscure real issues.

Mitigation

- Upgrade to AWS Network Policy Agent v1.1.2 or later, where the issue is resolved. - Upgrade the VPC CNI addon to v1.18.2 or later, which includes the fixed version of the agent. - If immediate upgrade is not possible, use log filtering or rate‑limiting in your logging pipeline to reduce noise.

References

• https://github.com/aws/aws-network-policy-agent/issues/103
• https://github.com/aws/amazon-vpc-cni-k8s/releases/tag/v1.18.2