CVE-2025-5187

EUVD-2025-25937
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
kubernetesCNA
6.7 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
kuberneteskubernetes
1.31.0 ≤
𝑥
≤ 1.31.11
CNA
kuberneteskubernetes
1.32.0 ≤
𝑥
≤ 1.32.7
CNA
kuberneteskubernetes
1.33.0 ≤
𝑥
≤ 1.33.3
CNA
Common Weakness Enumeration
References
https://github.com/kubernetes/kubernetes/issues/133471
https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE