CVE-2025-59836
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-12-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| siderolabs | omni | to 1.0.2 (exc) |
| siderolabs | omni | From 1.1.0 (inc) to 1.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a nil pointer dereference in the Omni Resource Service that allows unauthenticated users to cause a server panic and denial of service. It occurs when empty create or update resource requests are sent through the API endpoints. Specifically, the isSensitiveSpec function calls CreateResource without checking if the resource's metadata field is nil. If the Metadata field is empty, CreateResource tries to access resource.Metadata.Version, causing a segmentation fault and crashing the server.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service by crashing the server when it receives empty create or update resource requests. This means an attacker can disrupt the availability of the Omni Resource Service without authentication, potentially impacting the stability and reliability of Kubernetes management on bare metal, virtual machines, or cloud environments.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Omni Resource Service to version 1.1.5 or 1.0.2 or later, as these versions contain the fix for the nil pointer dereference vulnerability that causes server panic and denial of service.