Bug 2375801 (CVE-2025-5187) - CVE-2025-5187 kubernetes: kube-apiserver: Nodes can delete themselves by adding an OwnerReference
Summary: CVE-2025-5187 kubernetes: kube-apiserver: Nodes can delete themselves by addi...
Keywords:
Status: NEW
Alias: CVE-2025-5187
Deadline: 2025-08-12
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2399793 2399794
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-01 19:46 UTC by OSIDB Bzimport
Modified: 2025-09-26 19:21 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-07-01 19:46:43 UTC 
A vulnerability exists in the NodeRestriction admission controller where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection. By default, node 
users are authorized for create and patch requests but not delete requests against their node object. Since the NodeRestriction admission controller does not prevent patching OwnerReferences, a compromised node could leverage this vulnerability to delete and then recreate its node object. This would permit the node object to be recreated with modified taints or labels which are normally rejected by this plugin. Modifying taints or labels on a node could allow an attacker to control which pods are running on the compromised node.
Comment 5 Pedro Sampaio 2025-09-18 12:53:51 UTC 
Fixing Advisories.

https://access.redhat.com/errata/RHBA-2025:15714
https://access.redhat.com/errata/RHBA-2025:15694
Note You need to log in before you can comment on or make changes to this bug.