CVE-2025-5187

Name of the Vulnerable Software and Affected Versions: kube-apiserver versions 1.31.11 and earlier kube-apiserver versions 1.32.7 and earlier kube-apiserver versions 1.33.3 and earlier

Description: Compromised nodes can delete themselves and relabel via OwnerReferences. An attacker who has gained access to a node can utilize the kubelet's kubeconfig to bypass the NodeRestrictionPlugin by setting an OwnerReference with a non-existent object on the node. This causes the compromised node to be deleted and allows the attacker to apply taints or labels to a newly created node, controlling which containers are launched on the recreated compromised node. The fix involves adding checks to prevent updates to the ownerReference from a node.

Recommendations: Update kube-apiserver to version 1.31.12 or later. Update kube-apiserver to version 1.32.8 or later. Update kube-apiserver to version 1.33.4 or later. Enable OwnerReferencesPermissionEnforcement plugin to mitigate the issue.