CVE-2025-5187
MEDIUMKubernetes 1.31.0-1.31.10, 1.32.0-1.32.6, 1.33.0-1.33.2 - Incorrect Authorization via NodeRestriction
Title source: llmDescription
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
References (2)
Core 2
Core References
Issue Tracking issue-tracking
https://github.com/kubernetes/kubernetes/issues/133471
Mailing List mailing-list
https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE
Scores
CVSS v3
6.7
EPSS
0.0043
EPSS Percentile
34.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (4)
k8s.io/kubernetes
0 - 1.31.12Go
Kubernetes/Kubernetes
v1.31.0 - v1.31.11
Kubernetes/Kubernetes
v1.32.0 - v1.32.7
Kubernetes/Kubernetes
v1.33.0 - v1.33.3
Published
Aug 27, 2025
Tracked Since
Feb 18, 2026