{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-5187", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "state": "PUBLISHED", "assignerShortName": "kubernetes", "dateReserved": "2025-05-25T18:24:14.173Z", "datePublished": "2025-08-27T16:20:56.778Z", "dateUpdated": "2025-08-28T03:55:26.841Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2025-08-27T16:20:56.778Z"}, "title": "Nodes can delete themselves by adding an OwnerReference", "datePublic": "2025-08-13T20:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"vendor": "Kubernetes", "product": "Kubernetes", "versions": [{"status": "affected", "version": "v1.31.0", "lessThanOrEqual": "v1.31.11", "versionType": "custom"}, {"status": "affected", "version": "v1.32.0", "lessThanOrEqual": "v1.32.7", "versionType": "custom"}, {"status": "affected", "version": "v1.33.0", "lessThanOrEqual": "v1.33.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection."}]}], "references": [{"url": "https://github.com/kubernetes/kubernetes/issues/133471", "tags": ["issue-tracking"]}, {"url": "https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE", "tags": ["mailing-list"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L"}}], "solutions": [{"lang": "en", "value": "To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/", "supportingMedia": [{"type": "text/html", "base64": false, "value": "To mitigate this vulnerability, upgrade Kubernetes: <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/</a><br>"}]}], "credits": [{"lang": "en", "value": "Paul Viossat", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-27T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-5187"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-28T03:55:26.841Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5187", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-27T17:20:41.645630Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-27T17:20:49.729Z"}}], "cna": {"title": "Nodes can delete themselves by adding an OwnerReference", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Paul Viossat"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Kubernetes", "product": "Kubernetes", "versions": [{"status": "affected", "version": "v1.31.0", "versionType": "custom", "lessThanOrEqual": "v1.31.11"}, {"status": "affected", "version": "v1.32.0", "versionType": "custom", "lessThanOrEqual": "v1.32.7"}, {"status": "affected", "version": "v1.33.0", "versionType": "custom", "lessThanOrEqual": "v1.33.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/", "supportingMedia": [{"type": "text/html", "value": "To mitigate this vulnerability, upgrade Kubernetes: <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/</a><br>", "base64": false}]}], "datePublic": "2025-08-13T20:00:00.000Z", "references": [{"url": "https://github.com/kubernetes/kubernetes/issues/133471", "tags": ["issue-tracking"]}, {"url": "https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE", "tags": ["mailing-list"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2025-08-27T16:20:56.778Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5187", "state": "PUBLISHED", "dateUpdated": "2025-08-28T03:55:26.841Z", "dateReserved": "2025-05-25T18:24:14.173Z", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "datePublished": "2025-08-27T16:20:56.778Z", "assignerShortName": "kubernetes"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection."}, {"lang": "es", "value": "Existe una vulnerabilidad en el controlador de admisi\u00f3n NodeRestriction de los cl\u00fasteres de Kubernetes, donde los usuarios de los nodos pueden eliminar su objeto de nodo correspondiente al aplicar una referencia de propietario a un recurso del cl\u00faster. Si el recurso OwnerReference no existe o se elimina posteriormente, el objeto de nodo en cuesti\u00f3n se eliminar\u00e1 mediante la recolecci\u00f3n de elementos no utilizados."}], "id": "CVE-2025-5187", "lastModified": "2025-08-29T16:24:09.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2025-08-27T17:15:48.270", "references": [{"source": "jordan@liggitt.net", "url": "https://github.com/kubernetes/kubernetes/issues/133471"}, {"source": "jordan@liggitt.net", "url": "https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{"bugzilla": {"description": "kubernetes: kube-apiserver: Nodes can delete themselves by adding an OwnerReference", "id": "2375801", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2375801"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-306", "details": ["A vulnerability was found in the kube-apiserver's NodeRestriction admission controller, where node users can delete their corresponding node object by setting their own OwnerReference to a cluster-scoped resource. This flaw allows an attacker to delete and recreate its node object, leading to the node being recreated with modified taints or labels, which should not be allowed in this context. This may let the attacker control which pods are running on the compromised node."], "mitigation": {"lang": "en:us", "value": "This vulnerability can be mitigated by enabling the OwnerReferencesPermissionEnforcement admission controller, which will prevent any user without delete permissions on an object from modifying the OwnerReferences on that object.\nNote that this admission controller will apply to all users and object types."}, "name": "CVE-2025-5187", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-hyperkube-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-kube-proxy", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "ose-installer-kube-apiserver-artifacts-container", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-08-12T16:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-5187\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-5187\nhttps://github.com/kubernetes/kubernetes/issues/133471"], "statement": "This vulnerability is rated as having a Moderate severity. For a successful attack to take place, the attacker needs to have a high privileged account with enough privileges to create the nodes.", "threat_severity": "Moderate"}