CVE-2025-5187
📋 TL;DR
A vulnerability in Kubernetes' NodeRestriction admission controller allows node users to delete their own node objects by manipulating OwnerReferences. This affects Kubernetes clusters where the NodeRestriction admission controller is enabled, potentially causing node disruption and workload failures.
💻 Affected Systems
- Kubernetes
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious node users delete their node objects, causing node removal from the cluster, workload eviction, service disruption, and potential data loss if persistent volumes are affected.
Likely Case
Accidental or malicious node deletion leads to temporary workload rescheduling, increased cluster load, and minor service disruption until Kubernetes self-heals.
If Mitigated
With proper RBAC restrictions and monitoring, impact is limited to isolated node issues with minimal cluster-wide effect.
🎯 Exploit Status
Requires node user credentials and knowledge of Kubernetes API. Exploitation involves patching node objects with specific OwnerReferences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kubernetes v1.31.0, v1.30.5, v1.29.10, v1.28.14
Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE
Restart Required: No
Instructions:
1. Upgrade Kubernetes control plane to patched version. 2. Ensure kube-apiserver is restarted with new version. 3. Verify NodeRestriction admission controller is functioning correctly.
🔧 Temporary Workarounds
Restrict Node User Permissions
allApply RBAC policies to prevent node users from patching their node objects with OwnerReferences.
kubectl apply -f restrictive-node-rbac.yaml
🧯 If You Can't Patch
- Implement strict RBAC controls to deny node users patch/update permissions on node objects
- Enable audit logging for node object modifications and monitor for suspicious OwnerReference changes
🔍 How to Verify
Check if Vulnerable:
Check Kubernetes version with 'kubectl version' and verify if NodeRestriction admission controller is enabled in kube-apiserver configuration.Check Version:
kubectl version --shortVerify Fix Applied:
After upgrade, attempt to reproduce the exploit by trying to patch a node with OwnerReference - should be rejected by NodeRestriction.📡 Detection & Monitoring
Log Indicators:
- Audit logs showing node objects being patched with OwnerReferences
- Node deletion events via garbage collection
Network Indicators:
- Unusual API calls to patch node objects from node IPs
SIEM Query:
kubernetes.audit.objectRef.resource:nodes AND kubernetes.audit.verb:patch AND kubernetes.audit.objectRef.subresource:ownerReferences