Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size

Root

Cause

The Volcano webhook server does not enforce a size limit on incoming HTTP request bodies [2]. This allows any in-cluster pod that can reach the webhook endpoint to send an arbitrarily large request body. The underlying issue is the absence of a configured request body size limit in the HTTP server handling webhook admissions. By sending a sufficiently large payload, an attacker can cause the webhook server to run out of memory (OOM) and be killed by the operating system.

Exploitation

Prerequisites

Exploitation requires an already-compromised pod or a malicious workload running inside the Kubernetes cluster that can network that has network access to the webhook service endpoint [2]. No authentication is needed beyond having a pod that can make HTTP requests to the webhook server. This applies to all Volcano deployments where the webhook server is exposed to in-cluster traffic.

Impact

Successful exploitation results in a denial-of-service (DoS) condition against the webhook server. The OOM kill removes the webhook from the cluster, preventing admission control from processing any further requests. This could delay or block the scheduling of new Volcano workloads and potentially impact other cluster operations that depend on webhook validation [2].

Mitigation

Volcano has released patched versions that fix this issue: v1.14.2, v1.13.3, and v1.12.4 [2]. Users running versions below these should upgrade immediately. No known workarounds exist other than upgrading to a fixed version.