{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-5187","assignerOrgId":"a6081bf6-c852-4425-ad4f-a67919267565","state":"PUBLISHED","assignerShortName":"kubernetes","dateReserved":"2025-05-25T18:24:14.173Z","datePublished":"2025-08-27T16:20:56.778Z","dateUpdated":"2026-02-26T17:47:59.242Z"},"containers":{"cna":{"providerMetadata":{"orgId":"a6081bf6-c852-4425-ad4f-a67919267565","shortName":"kubernetes","dateUpdated":"2025-08-27T16:20:56.778Z"},"title":"Nodes can delete themselves by adding an OwnerReference","datePublic":"2025-08-13T20:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-863","description":"CWE-863 Incorrect Authorization","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-554","descriptions":[{"lang":"en","value":"CAPEC-554 Functionality Bypass"}]}],"affected":[{"vendor":"Kubernetes","product":"Kubernetes","versions":[{"status":"affected","version":"v1.31.0","lessThanOrEqual":"v1.31.11","versionType":"custom"},{"status":"affected","version":"v1.32.0","lessThanOrEqual":"v1.32.7","versionType":"custom"},{"status":"affected","version":"v1.33.0","lessThanOrEqual":"v1.33.3","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.","supportingMedia":[{"type":"text/html","base64":false,"value":"A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection."}]}],"references":[{"url":"https://github.com/kubernetes/kubernetes/issues/133471","tags":["issue-tracking"]},{"url":"https://groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztE","tags":["mailing-list"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW","baseSeverity":"MEDIUM","baseScore":6.7,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L"}}],"solutions":[{"lang":"en","value":"To mitigate this vulnerability, upgrade Kubernetes:   https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/","supportingMedia":[{"type":"text/html","base64":false,"value":"To mitigate this vulnerability, upgrade Kubernetes:  <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/</a><br>"}]}],"credits":[{"lang":"en","value":"Paul Viossat","type":"finder"}],"source":{"discovery":"INTERNAL"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-5187","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-08-28T03:55:27.614711Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T17:47:59.242Z"}}]}}