Medium severity6.7GHSA Advisory· Published Aug 27, 2025· Updated Apr 15, 2026
CVE-2025-5187
CVE-2025-5187
Description
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | < 1.31.12 | 1.31.12 |
k8s.io/kubernetesGo | >= 1.32.0-alpha.0, < 1.32.8 | 1.32.8 |
k8s.io/kubernetesGo | >= 1.33.0-alpha.0, < 1.33.4 | 1.33.4 |
Affected products
213- Range: >= 1.33.0-alpha.0, < 1.33.4
- osv-coords212 versionspkg:apk/chainguard/argo-cd-2.13pkg:apk/chainguard/argo-cd-2.13-compatpkg:apk/chainguard/argo-cd-2.13-repo-serverpkg:apk/chainguard/argo-cd-2.14pkg:apk/chainguard/argo-cd-2.14-compatpkg:apk/chainguard/argo-cd-2.14-repo-serverpkg:apk/chainguard/argo-cd-fips-2.13-compatpkg:apk/chainguard/argo-cd-fips-2.14pkg:apk/chainguard/argo-cd-fips-2.14-compatpkg:apk/chainguard/argo-cd-fips-2.14-repo-serverpkg:apk/chainguard/argo-cd-fips-3.0pkg:apk/chainguard/argo-cd-fips-3.0-compatpkg:apk/chainguard/argo-cd-fips-3.0-iamguarded-compatpkg:apk/chainguard/argo-cd-fips-3.0-repo-serverpkg:apk/chainguard/argo-cd-fips-3.1pkg:apk/chainguard/argo-cd-fips-3.1-compatpkg:apk/chainguard/argo-cd-fips-3.1-iamguarded-compatpkg:apk/chainguard/argo-cd-fips-3.1-repo-serverpkg:apk/chainguard/argocd-image-updater-fipspkg:apk/chainguard/argo-rolloutspkg:apk/chainguard/argo-rollouts-fipspkg:apk/chainguard/aws-efs-csi-driver-fipspkg:apk/chainguard/azuredisk-csi-1.31pkg:apk/chainguard/azuredisk-csi-1.31-compatpkg:apk/chainguard/azuredisk-csi-1.32pkg:apk/chainguard/azuredisk-csi-1.32-compatpkg:apk/chainguard/azuredisk-csi-fips-1.31pkg:apk/chainguard/azuredisk-csi-fips-1.32pkg:apk/chainguard/azuredisk-csi-fips-1.33pkg:apk/chainguard/azurefile-csi-1.31pkg:apk/chainguard/azurefile-csi-1.32pkg:apk/chainguard/azurefile-csi-1.32-compatpkg:apk/chainguard/azurefile-csi-fips-1.31pkg:apk/chainguard/azurefile-csi-fips-1.32pkg:apk/chainguard/azurefile-csi-fips-1.32-compatpkg:apk/chainguard/azurefile-csi-fips-1.33pkg:apk/chainguard/azurefile-csi-fips-1.33-compatpkg:apk/chainguard/azure-vnet-cnipkg:apk/chainguard/blob-csi-1.23pkg:apk/chainguard/blob-csi-1.24pkg:apk/chainguard/blob-csi-fips-1.23pkg:apk/chainguard/blob-csi-fips-1.24pkg:apk/chainguard/blob-csi-fips-1.25pkg:apk/chainguard/blob-csi-fips-1.25-compatpkg:apk/chainguard/blob-csi-fips-1.26pkg:apk/chainguard/blob-csi-fips-1.26-compatpkg:apk/chainguard/cephcsipkg:apk/chainguard/cephcsi-compatpkg:apk/chainguard/cephcsi-fipspkg:apk/chainguard/cluster-autoscaler-1.31pkg:apk/chainguard/cluster-autoscaler-1.31-compatpkg:apk/chainguard/cluster-autoscaler-fips-1.31pkg:apk/chainguard/cluster-autoscaler-fips-1.31-compatpkg:apk/chainguard/cluster-autoscaler-fips-1.33pkg:apk/chainguard/cluster-autoscaler-fips-1.33-compatpkg:apk/chainguard/docker-machine-driver-harvesterpkg:apk/chainguard/eks-distro-kube-apiserver-1.31pkg:apk/chainguard/eks-distro-kube-apiserver-1.32pkg:apk/chainguard/eks-distro-kube-apiserver-fips-1.31pkg:apk/chainguard/eks-distro-kube-apiserver-fips-1.32pkg:apk/chainguard/emissarypkg:apk/chainguard/emissary-apiextpkg:apk/chainguard/emissary-oci-entrypointpkg:apk/chainguard/ip-masq-agentpkg:apk/chainguard/k8ssandra-clientpkg:apk/chainguard/k8ssandra-client-compatpkg:apk/chainguard/k8ssandra-client-fipspkg:apk/chainguard/kapppkg:apk/chainguard/kapp-fipspkg:apk/chainguard/kubeadm-1.32pkg:apk/chainguard/kubeadm-1.32-defaultpkg:apk/chainguard/kubeadm-1.32-default-compatpkg:apk/chainguard/kube-apiserver-1.32pkg:apk/chainguard/kube-apiserver-1.32-defaultpkg:apk/chainguard/kube-apiserver-1.32-default-compatpkg:apk/chainguard/kube-controller-manager-1.32pkg:apk/chainguard/kube-controller-manager-1.32-defaultpkg:apk/chainguard/kube-controller-manager-1.32-default-compatpkg:apk/chainguard/kubectl-1.32pkg:apk/chainguard/kubectl-1.32-bitnami-compatpkg:apk/chainguard/kubectl-1.32-defaultpkg:apk/chainguard/kubectl-1.32-default-compatpkg:apk/chainguard/kubectl-1.32-iamguarded-compatpkg:apk/chainguard/kubectl-argo-rolloutspkg:apk/chainguard/kubectl-argo-rollouts-fipspkg:apk/chainguard/kubectl-bash-completion-1.32pkg:apk/chainguard/kubelet-1.32pkg:apk/chainguard/kubelet-1.32-defaultpkg:apk/chainguard/kubelet-1.32-default-compatpkg:apk/chainguard/kube-proxy-1.32pkg:apk/chainguard/kube-proxy-1.32-defaultpkg:apk/chainguard/kube-proxy-1.32-default-compatpkg:apk/chainguard/kubernetes-1.32pkg:apk/chainguard/kubernetes-1.32-defaultpkg:apk/chainguard/kubernetes-csi-driver-hostpathpkg:apk/chainguard/kubernetes-csi-driver-nfspkg:apk/chainguard/kubernetes-csi-driver-nfs-compatpkg:apk/chainguard/kubernetes-csi-driver-nfs-fipspkg:apk/chainguard/kubernetes-csi-driver-nfs-fips-compatpkg:apk/chainguard/kubernetes-dns-node-cachepkg:apk/chainguard/kubernetes-dns-node-cache-fipspkg:apk/chainguard/kubernetes-pause-1.32pkg:apk/chainguard/kubernetes-pause-compat-1.32pkg:apk/chainguard/kube-scheduler-1.32pkg:apk/chainguard/kube-scheduler-1.32-defaultpkg:apk/chainguard/kube-scheduler-1.32-default-compatpkg:apk/chainguard/longhorn-share-manager-1.8pkg:apk/chainguard/longhorn-share-manager-1.8-compatpkg:apk/chainguard/longhorn-share-manager-fips-1.8pkg:apk/chainguard/longhorn-share-manager-fips-1.8-compatpkg:apk/chainguard/mesosphere-vsphere-csipkg:apk/chainguard/mesosphere-vsphere-csi-driverpkg:apk/chainguard/mesosphere-vsphere-csi-syncerpkg:apk/chainguard/node-feature-discovery-0.16pkg:apk/chainguard/node-feature-discovery-fips-0.16-kubectl-nfdpkg:apk/chainguard/node-feature-discovery-fips-0.17pkg:apk/chainguard/node-feature-discovery-fips-0.17-gcpkg:apk/chainguard/node-feature-discovery-fips-0.17-kubectl-nfdpkg:apk/chainguard/node-feature-discovery-fips-0.17-masterpkg:apk/chainguard/node-feature-discovery-fips-0.17-topology-updaterpkg:apk/chainguard/node-feature-discovery-fips-0.17-workerpkg:apk/chainguard/nodetaintpkg:apk/chainguard/py3.10-ambassadorpkg:apk/chainguard/py3.11-ambassadorpkg:apk/chainguard/py3.12-ambassadorpkg:apk/chainguard/py3.13-ambassadorpkg:apk/chainguard/rancher-2.10pkg:apk/chainguard/rancher-2.11pkg:apk/chainguard/rancher-2.12pkg:apk/chainguard/rancher-agent-2.10pkg:apk/chainguard/rancher-agent-2.11pkg:apk/chainguard/rancher-agent-2.12pkg:apk/chainguard/rancher-system-agentpkg:apk/chainguard/rancher-webhook-0.6pkg:apk/chainguard/rancher-webhook-fips-0.6pkg:apk/chainguard/vclusterpkg:apk/chainguard/vcluster-clipkg:apk/chainguard/vcluster-syncerpkg:apk/chainguard/yunikorn-k8shimpkg:apk/chainguard/yunikorn-k8shim-fipspkg:apk/wolfi/argo-cd-2.13pkg:apk/wolfi/argo-cd-2.13-compatpkg:apk/wolfi/argo-cd-2.13-repo-serverpkg:apk/wolfi/argo-cd-2.14pkg:apk/wolfi/argo-cd-2.14-compatpkg:apk/wolfi/argo-cd-2.14-repo-serverpkg:apk/wolfi/argo-rolloutspkg:apk/wolfi/azuredisk-csi-1.31pkg:apk/wolfi/azuredisk-csi-1.31-compatpkg:apk/wolfi/azurefile-csi-1.32pkg:apk/wolfi/azurefile-csi-1.32-compatpkg:apk/wolfi/cluster-autoscaler-1.31pkg:apk/wolfi/cluster-autoscaler-1.31-compatpkg:apk/wolfi/docker-machine-driver-harvesterpkg:apk/wolfi/emissarypkg:apk/wolfi/emissary-apiextpkg:apk/wolfi/emissary-oci-entrypointpkg:apk/wolfi/ip-masq-agentpkg:apk/wolfi/k8ssandra-clientpkg:apk/wolfi/k8ssandra-client-compatpkg:apk/wolfi/kapppkg:apk/wolfi/kubeadm-1.32pkg:apk/wolfi/kubeadm-1.32-defaultpkg:apk/wolfi/kube-apiserver-1.32pkg:apk/wolfi/kube-apiserver-1.32-defaultpkg:apk/wolfi/kube-controller-manager-1.32pkg:apk/wolfi/kube-controller-manager-1.32-defaultpkg:apk/wolfi/kubectl-1.32pkg:apk/wolfi/kubectl-1.32-bitnami-compatpkg:apk/wolfi/kubectl-1.32-defaultpkg:apk/wolfi/kubectl-argo-rolloutspkg:apk/wolfi/kubectl-bash-completion-1.32pkg:apk/wolfi/kubelet-1.32pkg:apk/wolfi/kubelet-1.32-defaultpkg:apk/wolfi/kube-proxy-1.32pkg:apk/wolfi/kube-proxy-1.32-defaultpkg:apk/wolfi/kube-proxy-1.32-default-compatpkg:apk/wolfi/kubernetes-1.32pkg:apk/wolfi/kubernetes-1.32-defaultpkg:apk/wolfi/kubernetes-csi-driver-hostpathpkg:apk/wolfi/kubernetes-csi-driver-nfspkg:apk/wolfi/kubernetes-csi-driver-nfs-compatpkg:apk/wolfi/kubernetes-dns-node-cachepkg:apk/wolfi/kubernetes-pause-1.32pkg:apk/wolfi/kubernetes-pause-compat-1.32pkg:apk/wolfi/kube-scheduler-1.32pkg:apk/wolfi/kube-scheduler-1.32-defaultpkg:apk/wolfi/mesosphere-vsphere-csipkg:apk/wolfi/mesosphere-vsphere-csi-driverpkg:apk/wolfi/mesosphere-vsphere-csi-syncerpkg:apk/wolfi/node-feature-discovery-0.16pkg:apk/wolfi/nodetaintpkg:apk/wolfi/py3.10-ambassadorpkg:apk/wolfi/py3.11-ambassadorpkg:apk/wolfi/py3.12-ambassadorpkg:apk/wolfi/py3.13-ambassadorpkg:apk/wolfi/rancher-2.10pkg:apk/wolfi/rancher-2.11pkg:apk/wolfi/rancher-2.12pkg:apk/wolfi/rancher-agent-2.10pkg:apk/wolfi/rancher-agent-2.11pkg:apk/wolfi/rancher-agent-2.12pkg:apk/wolfi/rancher-system-agentpkg:apk/wolfi/rancher-webhook-0.6pkg:apk/wolfi/vclusterpkg:apk/wolfi/vcluster-clipkg:apk/wolfi/vcluster-syncerpkg:apk/wolfi/yunikorn-k8shimpkg:golang/k8s.io/kubernetespkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 2.13.8-r5+ 211 more
- (no CPE)range: < 2.13.8-r5
- (no CPE)range: < 2.13.8-r5
- (no CPE)range: < 2.13.8-r5
- (no CPE)range: < 2.14.15-r4
- (no CPE)range: < 2.14.15-r4
- (no CPE)range: < 2.14.15-r4
- (no CPE)range: < 2.13.9-r3
- (no CPE)range: < 2.14.15-r4
- (no CPE)range: < 2.14.15-r4
- (no CPE)range: < 2.14.15-r4
- (no CPE)range: < 3.0.13-r1
- (no CPE)range: < 3.0.13-r1
- (no CPE)range: < 3.0.13-r1
- (no CPE)range: < 3.0.13-r1
- (no CPE)range: < 3.1.1-r1
- (no CPE)range: < 3.1.1-r1
- (no CPE)range: < 3.1.1-r1
- (no CPE)range: < 3.1.1-r1
- (no CPE)range: < 0.16.0-r8
- (no CPE)range: < 1.9.0-r0
- (no CPE)range: < 1.9.0-r0
- (no CPE)range: < 2.1.11-r1
- (no CPE)range: < 1.31.11-r4
- (no CPE)range: < 1.31.11-r4
- (no CPE)range: < 1.32.10-r1
- (no CPE)range: < 1.32.10-r1
- (no CPE)range: < 1.31.11-r3
- (no CPE)range: < 1.32.10-r1
- (no CPE)range: < 1.33.4-r1
- (no CPE)range: < 1.31.8-r3
- (no CPE)range: < 1.32.5-r4
- (no CPE)range: < 1.32.5-r4
- (no CPE)range: < 1.31.8-r3
- (no CPE)range: < 1.32.5-r4
- (no CPE)range: < 1.32.5-r4
- (no CPE)range: < 1.33.4-r1
- (no CPE)range: < 1.33.4-r1
- (no CPE)range: < 1.7.9-r0
- (no CPE)range: < 1.23.11-r61
- (no CPE)range: < 1.24.11-r10
- (no CPE)range: < 1.23.11-r62
- (no CPE)range: < 1.24.11-r10
- (no CPE)range: < 1.25.9-r5
- (no CPE)range: < 1.25.9-r5
- (no CPE)range: < 1.26.7-r1
- (no CPE)range: < 1.26.7-r1
- (no CPE)range: < 3.15.0-r2
- (no CPE)range: < 3.15.0-r2
- (no CPE)range: < 3.15.0-r2
- (no CPE)range: < 1.31.3-r3
- (no CPE)range: < 1.31.3-r3
- (no CPE)range: < 1.31.3-r4
- (no CPE)range: < 1.31.3-r4
- (no CPE)range: < 1.33.0-r4
- (no CPE)range: < 1.33.0-r4
- (no CPE)range: < 1.0.6-r4
- (no CPE)range: < 1.31.35-r1
- (no CPE)range: < 1.32.28-r1
- (no CPE)range: < 1.31.35-r1
- (no CPE)range: < 1.32.28-r1
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 2.12.0-r12
- (no CPE)range: < 0.8.2-r2
- (no CPE)range: < 0.8.2-r2
- (no CPE)range: < 0.8.2-r2
- (no CPE)range: < 0.64.2-r3
- (no CPE)range: < 0.64.2-r5
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.9.0-r0
- (no CPE)range: < 1.9.0-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.17.0-r4
- (no CPE)range: < 4.11.0-r6
- (no CPE)range: < 4.11.0-r6
- (no CPE)range: < 4.11.0-r6
- (no CPE)range: < 4.11.0-r6
- (no CPE)range: < 1.26.7-r0
- (no CPE)range: < 1.26.7-r1
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.8.2-r2
- (no CPE)range: < 1.8.2-r2
- (no CPE)range: < 1.8.2-r3
- (no CPE)range: < 1.8.2-r3
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: < 0.16.9-r2
- (no CPE)range: < 0.16.9-r2
- (no CPE)range: < 0.17.3-r4
- (no CPE)range: < 0.17.3-r4
- (no CPE)range: < 0.17.3-r4
- (no CPE)range: < 0.17.3-r4
- (no CPE)range: < 0.17.3-r4
- (no CPE)range: < 0.17.3-r4
- (no CPE)range: < 0.0.4-r36
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 2.10.9-r1
- (no CPE)range: < 2.11.5-r0
- (no CPE)range: < 2.12.1-r0
- (no CPE)range: < 2.10.9-r1
- (no CPE)range: < 2.11.5-r0
- (no CPE)range: < 2.12.1-r0
- (no CPE)range: < 0.3.13-r2
- (no CPE)range: < 0.6.10-r1
- (no CPE)range: < 0.6.10-r1
- (no CPE)range: < 0.27.0-r2
- (no CPE)range: < 0.27.0-r2
- (no CPE)range: < 0.27.0-r2
- (no CPE)range: < 1.7.0-r3
- (no CPE)range: < 1.7.0-r4
- (no CPE)range: < 2.13.8-r5
- (no CPE)range: < 2.13.8-r5
- (no CPE)range: < 2.13.8-r5
- (no CPE)range: < 2.14.15-r4
- (no CPE)range: < 2.14.15-r4
- (no CPE)range: < 2.14.15-r4
- (no CPE)range: < 1.9.0-r0
- (no CPE)range: < 1.31.11-r4
- (no CPE)range: < 1.31.11-r4
- (no CPE)range: < 1.32.5-r4
- (no CPE)range: < 1.32.5-r4
- (no CPE)range: < 1.31.3-r3
- (no CPE)range: < 1.31.3-r3
- (no CPE)range: < 1.0.6-r4
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 2.12.0-r12
- (no CPE)range: < 0.8.2-r2
- (no CPE)range: < 0.8.2-r2
- (no CPE)range: < 0.64.2-r3
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.9.0-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.17.0-r4
- (no CPE)range: < 4.11.0-r6
- (no CPE)range: < 4.11.0-r6
- (no CPE)range: < 1.26.7-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 1.32.11-r0
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: < 0.16.9-r2
- (no CPE)range: < 0.0.4-r36
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 3.10.0-r9
- (no CPE)range: < 2.10.9-r1
- (no CPE)range: < 2.11.5-r0
- (no CPE)range: < 2.12.1-r0
- (no CPE)range: < 2.10.9-r1
- (no CPE)range: < 2.11.5-r0
- (no CPE)range: < 2.12.1-r0
- (no CPE)range: < 0.3.13-r2
- (no CPE)range: < 0.6.10-r1
- (no CPE)range: < 0.27.0-r2
- (no CPE)range: < 0.27.0-r2
- (no CPE)range: < 0.27.0-r2
- (no CPE)range: < 1.7.0-r3
- (no CPE)range: < 1.31.12
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
- (no CPE)range: < 0.0.20250918T182144-1.1
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-4x4m-3c2p-qppcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-5187ghsaADVISORY
- github.com/kubernetes/kubernetes/commit/a2d98cac56a0c5cb2d8abc4d087fc00846b3bc0fghsaWEB
- github.com/kubernetes/kubernetes/issues/133471nvdWEB
- groups.google.com/g/kubernetes-security-announce/c/znSNY7XCztEnvdWEB
News mentions
0No linked articles in our index yet.