CVE-2025-59836: 
vulnerability analysis and mitigation

A nil pointer dereference vulnerability was discovered in Omni (CVE-2025-59836), affecting versions prior to 1.1.5 and 1.0.2. The vulnerability exists in the Omni Resource Service, which allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The issue was disclosed on October 13, 2025, and affects the Omni platform that manages Kubernetes on bare metal, virtual machines, or in cloud environments (GitHub Advisory).

The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The issue is classified under CWE-476 (NULL Pointer Dereference) and CWE-703 (Improper Check or Handling of Exceptional Conditions) (Miggo, GitHub Advisory).

The vulnerability can lead to a complete API server crash requiring manual restart if no restart policy is applied. The attack requires no authentication and has low complexity, making it easily exploitable. The impact is primarily on service availability, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been fixed in versions 1.1.5 and 1.0.2. The fix involves adding nil checks in the isSensitiveSpec function to verify that neither the resource nor its Metadata field is nil before proceeding with the CreateResource operation. Users are advised to upgrade to the patched versions (GitHub Advisory).