CVE-2025-5187
published 2025-08-27CVE-2025-5187: A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by…
PriorityP335medium6.7CVSS 3.1
AVNACLPRHUINSUCHIHAL
EPSS
0.43%
34.7th percentile
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | >= 0 < 1.31.12 | 1.31.12 |
| k8s.io | kubernetes | >= 1.32.0-alpha.0 < 1.32.8 | 1.32.8 |
| k8s.io | kubernetes | >= 1.33.0-alpha.0 < 1.33.4 | 1.33.4 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | v1.31.0 – v1.31.11 | — |
| kubernetes | kubernetes | v1.32.0 – v1.32.7 | — |
| kubernetes | kubernetes | v1.33.0 – v1.33.3 | — |
| msrc | azl3_pytorch_2.2.2-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_pytorch_2.2.2-7_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_pytorch_2.0.0-8_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
osv6.7MEDIUM
vendor_msrc8.8HIGH
vendor_debian6.7MEDIUM
vendor_redhat6.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes
osv·2025-09-18
CVE-2025-5187 Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes
Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes
Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes
OSV
CVE-2025-5187: A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object
osv·2025-08-27·CVSS 6.7
CVE-2025-5187 [MEDIUM] CVE-2025-5187: A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
OSV
Kubernetes Nodes can delete themselves by adding an OwnerReference
osv·2025-08-27
CVE-2025-5187 [MEDIUM] Kubernetes Nodes can delete themselves by adding an OwnerReference
Kubernetes Nodes can delete themselves by adding an OwnerReference
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
GHSA
Kubernetes Nodes can delete themselves by adding an OwnerReference
ghsa·2025-08-27
CVE-2025-5187 [MEDIUM] CWE-863 Kubernetes Nodes can delete themselves by adding an OwnerReference
Kubernetes Nodes can delete themselves by adding an OwnerReference
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
Red Hat
kubernetes: kube-apiserver: Nodes can delete themselves by adding an OwnerReference
vendor_redhat·2025-08-12·CVSS 6.7
CVE-2025-5187 [MEDIUM] CWE-306 kubernetes: kube-apiserver: Nodes can delete themselves by adding an OwnerReference
kubernetes: kube-apiserver: Nodes can delete themselves by adding an OwnerReference
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
A vulnerability was found in the kube-apiserver's NodeRestriction admission controller, where node users can delete their corresponding node object by setting their own OwnerReference to a cluster-scoped resource. This flaw allows an attacker to delete and recreate its node object, leading to the node being recreated with modified taints or labels, w
Debian
CVE-2025-5187: kubernetes - A vulnerability exists in the NodeRestriction admission controller in Kubernetes...
vendor_debian·2025·CVSS 6.7
CVE-2025-5187 [MEDIUM] CVE-2025-5187: kubernetes - A vulnerability exists in the NodeRestriction admission controller in Kubernetes...
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
Microsoft
Arbitrary File Overwrite in download_model_with_test_data in onnx/onnx
vendor_msrc·2024-06-11·CVSS 8.8
CVE-2024-5187 [HIGH] CWE-22 Arbitrary File Overwrite in download_model_with_test_data in onnx/onnx
Arbitrary File Overwrite in download_model_with_test_data in onnx/onnx
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
@huntr_ai: @huntr_ai
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
R
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-5187 kubernetes: kube-apiserver: Nodes can delete themselves by adding an OwnerReference
bugzilla·2025-07-01·CVSS 6.7
CVE-2025-5187 [MEDIUM] CVE-2025-5187 kubernetes: kube-apiserver: Nodes can delete themselves by adding an OwnerReference
CVE-2025-5187 kubernetes: kube-apiserver: Nodes can delete themselves by adding an OwnerReference
A vulnerability exists in the NodeRestriction admission controller where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection. By default, node
users are authorized for create and patch requests but not delete requests against their node object. Since the NodeRestriction admission controller does not prevent patching OwnerReferences, a compromised node could leverage this vulnerability to delete and then recreate its node object. This would permit the node object to be recreated with
Bugzilla
CVE-2025-22001 kernel: accel/qaic: Fix integer overflow in qaic_validate_req()
bugzilla·2025-04-03·CVSS 5.5
CVE-2025-22001 [MEDIUM] CVE-2025-22001 kernel: accel/qaic: Fix integer overflow in qaic_validate_req()
CVE-2025-22001 kernel: accel/qaic: Fix integer overflow in qaic_validate_req()
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: Fix integer overflow in qaic_validate_req()
These are u64 variables that come from the user via
qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that
the math doesn't have an integer wrapping bug.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025040349-CVE-2025-22001-5187@gregkh/T
2025-08-27
Published