6.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-0426

GHSA ID

GHSA-jgfp-53c3-624w

EPSS Score

0.07667%

CWE

CWE-400

Published

2/13/2025

Updated

2/13/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-0426

CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.

(GitHub Advisory)

6.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-0426

GHSA ID

GHSA-jgfp-53c3-624w

EPSS Score

0.07667%

CWE

CWE-400

Published

2/13/2025

Updated

2/13/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
k8s.io/kubernetes	go	>= 1.32.0, < 1.32.2	1.32.2
k8s.io/kubernetes	go	>= 1.31.0, < 1.31.6	1.31.6
k8s.io/kubernetes	go	>= 1.30.0, < 1.30.10	1.30.10
k8s.io/kubernetes	go	< 1.29.14	1.29.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs because the kubelet's Checkpoint API was exposed on an unauthenticated read-only HTTP endpoint. The provided patches (e.g., bda81f1b68e22671e5e26953f0086ac6fca9d8aa) show that the registration of the '/checkpoint' route, which is handled by the 's.checkpoint' method, was moved from the InstallDefaultHandlers function to the InstallDebuggingHandlers function. InstallDefaultHandlers sets up the unauthenticated read-only port, while InstallDebuggingHandlers typically sets up authenticated endpoints. Therefore, InstallDefaultHandlers was the function that incorrectly exposed the checkpointing functionality without authentication, and s.checkpoint (which resolves to k8s.io/kubernetes/pkg/kubelet/server.(*Server).checkpoint) is the function that processes these potentially malicious requests, leading to disk exhaustion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s**urity issu* w*s *is*ov*r** in Ku**rn*t*s w**r* * l*r** num**r o* *ont*in*r ****kpoint r*qu*sts m*** to t** un*ut**nti**t** ku**l*t r***-only *TTP *n*point m*y **us* * No** **ni*l o* S*rvi** *y *illin* t** No**'s *isk.

Reasoning

T** vuln*r**ility o**urs ****us* t** ku**l*t's ****kpoint *PI w*s *xpos** on *n un*ut**nti**t** r***-only *TTP *n*point. T** provi*** p*t***s (*.*., ****************************************) s*ow t**t t** r**istr*tion o* t** '/****kpoint' rout*, w*i*

6.2

Basic Information

Concerned about an active attack path?

CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API

6.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI