Key Information Vulnerability Overview CVE ID: CVE-2025-5187 Title: Nodes can delete themselves by adding an OwnerReference CVSS Score: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:C/A:L - Medium (6.7) Description: A vulnerability exists in the NodeRestriction admission controller that allows node users to delete their corresponding node objects by adding themselves as an OwnerReference to cluster-scoped resources. If the OwnerReference resource does not exist or is later deleted, the specified node object will be garbage-collected and removed. Affected Versions kube-apiserver = v1.31.12 kube-apiserver >= v1.32.8 kube-apiserver >= v1.33.4 Detection Detect node patch requests issued by node users that modify OwnerReferences by analyzing API audit logs. Reporting and Fix Reporter: Paul Vossel Fixers: Sergey Kanzhelev, Jordan Liggitt, Marko Madunic