CVE-2025-5187
Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes
6.7
MEDIUM
CVSS 3.1
EPSS 0.04%
Description
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
How to fix CVE-2025-5187
To remediate CVE-2025-5187, upgrade the affected package to a fixed version below.
- —upgrade to 1.20.5+really1.20.2-1 or later
- —upgrade to 1.31.12 or later
- —upgrade to 1.31.12 or later
Is CVE-2025-5187 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.20.5+really1.20.2-1
- from 0, < 1.31.12
- from 0, < 1.31.12, >= 1.32.0-alpha.0, < 1.32.8, >= 1.33.0-alpha.0, < 1.33.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L |