CVE-2025-5187
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-27

Last updated on: 2025-08-29

Assigner: Kubernetes

Description
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-27
Last Modified
2025-08-29
Generated
2026-06-16
AI Q&A
2025-08-27
EPSS Evaluated
2026-06-14
NVD
CVE-2025-5187
EUVD
EUVD-2025-25937
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kubernetes kube-apiserver *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the NodeRestriction admission controller of Kubernetes clusters. Normally, node users can create and patch their own node objects but cannot delete them. However, due to improper handling of OwnerReferences, a node user can patch their node object by adding an OwnerReference to a cluster-scoped resource. If that referenced resource does not exist or is deleted, Kubernetes garbage collection will delete the node object. This allows a compromised node to delete its own node object and then recreate it with altered taints or labels, which can affect cluster behavior and pod scheduling. [1, 2]

Impact Analysis

The vulnerability allows a compromised node user to delete and recreate their own node object with modified taints or labels, which are normally restricted. This manipulation can impact cluster behavior by affecting pod scheduling on the compromised node. It can lead to unauthorized changes in the cluster, potentially compromising confidentiality and integrity of the cluster's operation. The CVSS score indicates a medium severity with high impact on confidentiality and integrity. [1, 2]

Detection Guidance

Detection can be performed by analyzing Kubernetes API audit logs for patch requests from node users that modify OwnerReferences. Such patch requests are abnormal because Kubelets do not normally patch their own OwnerReferences. You can use commands like 'kubectl logs' to retrieve API server audit logs and then grep or filter for patch operations on node objects that include modifications to OwnerReferences by node users. [1, 2]

Mitigation Strategies

Immediate mitigation steps include upgrading the kube-apiserver to patched versions (v1.31.12 or later, v1.32.8 or later, or v1.33.4 or later) which enhance the NodeRestriction admission controller to block node users from modifying their own OwnerReferences. Alternatively, you can enable the OwnerReferencesPermissionEnforcement admission controller, which enforces strict permission checks on OwnerReferences modifications and prevents unauthorized changes. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-5187. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart