CVE-2025-5187
MEDIUM6.7EPSS 0.04%Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes
Published: 8/27/2025Modified: 4/28/2026
Description
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
Affected packages (3)
- Debian/kubernetesfrom 0, < 1.20.5+really1.20.2-1
- Go/k8s.io/kubernetesfrom 0, < 1.31.12
- Go/k8s.io/kubernetesfrom 0, < 1.31.12, >= 1.32.0-alpha.0, < 1.32.8, >= 1.33.0-alpha.0, < 1.33.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-4x4m-3c2p-qppc
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-5187
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-5187
- PATCHhttps://github.com/kubernetes/kubernetes
- WEBhttps://github.com/kubernetes/kubernetes/commit/a2d98cac56a0c5cb2d8abc4d087fc00846b3bc0f
- WEBhttps://github.com/kubernetes/kubernetes/issues/133471
- WEBhttps://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE