CVE-2025-5187: Nodes can delete themselves by adding an OwnerReference

[natherz97]

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L - Medium (6.7)

A vulnerability exists in the NodeRestriction admission controller where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection. By default, node users are authorized for create and patch requests but not delete requests against their node object. Since the NodeRestriction admission controller does not prevent patching OwnerReferences, a compromised node could leverage this vulnerability to delete and then recreate its node object. This would permit the node object to be recreated with modified taints or labels which are normally rejected by this plugin. Modifying taints or labels on a node could allow an attacker to control which pods are running on the compromised node.

Am I vulnerable?

All clusters that have enabled the NodeRestriction but not the OwnerReferencesPermissionEnforcement admission controller are vulnerable. The OwnerReferencesPermissionEnforcement controller protects access to the OwnerReferences of an object so that only users with delete permission to the object can change it.

Affected Versions

kube-apiserver: <= v1.31.11
kube-apiserver: <= v1.32.7
kube-apiserver: <= v1.33.3

How do I mitigate this vulnerability?

This issue can be mitigated by upgrading to a kube-apiserver binary running one of patched minor versions for 1.31 through 1.33 listed below. These fixed versions have added functionality to the NodeRestriction admission controller to prevent node users from modifying their own OwnerReferences.

Alternatively, this vulnerability can be mitigated by enabling the OwnerReferencesPermissionEnforcement admission controller, which will prevent any user without delete permissions on an object from modifying the OwnerReferences on that object. Note that this admission controller will apply to all users and object types.

Fixed Versions

kube-apiserver: >= v1.31.12
kube-apiserver: >= v1.32.8
kube-apiserver: >= v1.33.4

Detection

This issue can be detected on clusters which have NodeRestriction but not OwnerReferencesPermissionEnforcement enabled by analyzing API audit logs for node patch requests issued by node users which modify OwnerReferences. In normal operation, a Kubelet will never issue a patch request which modifies its own OwnerReferences.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Acknowledgements

This vulnerability was reported by Paul Viossat.

The issue was fixed and coordinated by:

Sergey Kanzhelev @SergeyKanzhelev
Jordan Liggitt @liggitt
Marko Mudrinić @xmudrii

[k8s-ci-robot]

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[natherz97]

/area security
/kind bug

[natherz97]

Fixed by

• Update NodeRestriction to prevent nodes from updating their OwnerReferences #133467
• Update NodeRestriction to prevent nodes from updating their OwnerReferences #133468
• Update NodeRestriction to prevent nodes from updating their OwnerReferences #133469
• Update NodeRestriction to prevent nodes from updating their OwnerReferences #133470

[natherz97]

/committee security-response
/label official-cve-feed