CVE-2025-5187

Description

A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.

PUBLISHED Reserved 2025-05-25 | Published 2025-08-27 | Updated 2025-08-28 | Assigner kubernetes

Problem types

CWE-863 Incorrect Authorization

Product status

Credits

Paul Viossat finder

References

github.com/kubernetes/kubernetes/issues/133471 issue-tracking

groups.google.com/...ernetes-security-announce/c/znSNY7XCztE mailing-list

cve.org (CVE-2025-5187)

nvd.nist.gov (CVE-2025-5187)

Download JSON