CVE-2025-5187 — Incorrect Authorization in Kubernetes

CWE-863 — Incorrect Authorization CWE-306 — Missing Authentication for Critical Function CWE-22 — Path Traversal9 documents7 sources

Severity

6.7MEDIUMNVD

EPSS

0.0%

top 91.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes K8s.io Kubernetes

Timeline

PublishedAug 27

Latest updateSep 18

Description

A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:LExploitability: 1.2 | Impact: 5.5

Affected Packages3 packages

▶Gok8s.io/kubernetes1.32.0-alpha.0 — 1.32.8+2

▶Debiankubernetes/kubernetes< 1.20.5+really1.20.2-1+3

▶CVEListV5kubernetes/kubernetesv1.31.0 — v1.31.11+2

🔴Vulnerability Details

OSV

Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes↗2025-09-18

▶

OSV

CVE-2025-5187: A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object↗2025-08-27

▶

OSV

Kubernetes Nodes can delete themselves by adding an OwnerReference↗2025-08-27

▶

CVEList

Nodes can delete themselves by adding an OwnerReference↗2025-08-27

▶

GHSA

Kubernetes Nodes can delete themselves by adding an OwnerReference↗2025-08-27

▶

📋Vendor Advisories

Red Hat

kubernetes: kube-apiserver: Nodes can delete themselves by adding an OwnerReference↗2025-08-12

▶

Debian

CVE-2025-5187: kubernetes - A vulnerability exists in the NodeRestriction admission controller in Kubernetes...↗2025

▶

Microsoft

Arbitrary File Overwrite in download_model_with_test_data in onnx/onnx↗2024-06-11

▶