CVE-2025-5187: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-5187) was discovered in the Kubernetes NodeRestriction admission controller, where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. The vulnerability was disclosed on August 11, 2025, affecting all Kubernetes clusters that have enabled the NodeRestriction but not the OwnerReferencesPermissionEnforcement admission controller. This vulnerability impacts multiple versions including kube-apiserver versions <= v1.31.11, <= v1.32.7, and <= v1.33.3 (Kubernetes Issue, Microsoft Azure).

The vulnerability exists because the NodeRestriction admission controller does not prevent patching OwnerReferences. By default, node users are authorized for create and patch requests but not delete requests against their node object. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection. The vulnerability has been assigned a CVSS v3.1 score of 6.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L (Kubernetes Announce).

A compromised node could leverage this vulnerability to delete and then recreate its node object with modified taints or labels which are normally rejected by the NodeRestriction plugin. This modification of taints or labels on a node could allow an attacker to control which pods are running on the compromised node (Kubernetes Issue).

The vulnerability can be mitigated by either upgrading to patched versions (kube-apiserver >= v1.31.12, >= v1.32.8, or >= v1.33.4) or by enabling the OwnerReferencesPermissionEnforcement admission controller. The fixed versions have added functionality to the NodeRestriction admission controller to prevent node users from modifying their own OwnerReferences. For Azure Kubernetes Service (AKS) users, a security patch is being rolled out in the 20250720 and 20250808 release (Microsoft Azure, Kubernetes Issue).

The vulnerability was reported by Paul Viossat and was coordinated by the Kubernetes Security Response Committee members including Sergey Kanzhelev, Jordan Liggitt, and Marko Mudrinić. Major cloud providers like Microsoft Azure and Red Hat have acknowledged the vulnerability and are actively rolling out patches to their managed Kubernetes services (Kubernetes Issue).