CVE-2025-59836
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-59836
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59836.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-59836
- Aliases
- Published
- 2025-10-13T20:43:40Z
- Modified
- 2025-11-11T19:46:51.743043Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Omni is Vulnerable to DoS via Empty Create/Update Resource Requests
- Details
-
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2.
- Database specific
{ "cwe_ids": [ "CWE-476", "CWE-703" ] }- References
Affected packages
Git / github.com/siderolabs/omni
Affected ranges
Affected versions
client/v0.*
client/v0.48.0-beta.0
client/v0.51.0-beta.0
client/v0.51.0-beta.1
client/v1.*
client/v1.0.0
client/v1.0.1
client/v1.1.0
client/v1.1.2
v0.*
v0.33.0-beta.0
v0.34.0-beta.0
v0.35.0-beta.0
v0.36.0-beta.0
v0.37.0-beta.0
v0.38.0-beta.0
v0.39.0-beta.0
v0.40.0-beta.0
v0.41.0-beta.0
v0.42.0-beta.0
v0.43.0
v0.43.0-beta.0
v0.44.0-beta.0
v0.45.0-beta.0
v0.46.0-beta.0
v0.47.0-beta.0
v0.47.0-beta.1
v0.48.0-beta.0
v0.49.0-beta.0
v0.50.0-beta.0
v0.51.0-beta.0
v0.51.0-beta.1
v0.51.0-beta.2
v0.52.0-beta.0
v1.*
v1.0.0
v1.0.0-beta.0
v1.0.0-beta.1
v1.0.1
v1.1.0
v1.1.0-beta.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4