CVE-2025-5187
Aliases:GHSA-4x4m-3c2p-qppcGO-2025-3915
Advisory lineage Upstream: 0 Downstream: 3
Deferred
Published: 27 Aug 2025, 16:20
Last modified:26 Feb 2026, 17:47
Vulnerability Summary
Overall Risk (default)
medium
27/100 CVSS Score
6.7 MEDIUM
v3.1 (cve.org)
EPSS Score
0.04% LOW
0% probability +0.02%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
27 Aug 2025, 16:20
Published
Vulnerability first disclosed
26 Feb 2026, 17:47
Last Modified
Vulnerability information updated
Description
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
EPSS Trends
Current EPSS score: 0.04%• Percentile: 13%
Techniques & Countermeasures
- CWE-863•Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Affected Systems
- k8s.io•kubernetes
< 1.31.12 | ≥ 1.32.0-alpha.0, < 1.32.8 | ≥ 1.33.0-alpha.0, < 1.33.4
- kubernetes•kubernetes
≥ v1.31.0, ≤ v1.31.11 | ≥ v1.32.0, ≤ v1.32.7 | ≥ v1.33.0, ≤ v1.33.3
References (6)
- https://github.com/kubernetes/kubernetes/issues/133471
- https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE
- https://nvd.nist.gov/vuln/detail/CVE-2025-5187
- https://github.com/kubernetes/kubernetes/commit/a2d98cac56a0c5cb2d8abc4d087fc00846b3bc0f
- https://github.com/kubernetes/kubernetes
- https://github.com/advisories/GHSA-4x4m-3c2p-qppc