N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32777

CVE-2025-32777: Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin

Impact

This issue allows an attacker who has compromised either the Elastic service or the extender plugin to cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano's case if they have compromised either the vulnerable services or the pod/node in which they are deployed. The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory.

Workarounds

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-32777

CVE-2025-32777:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
volcano.sh/volcano	go	< 1.9.1	1.9.1
volcano.sh/volcano	go	>= 1.10.0-alpha.0, < 1.10.2	1.10.2
volcano.sh/volcano	go	>= 1.11.0-network-topology-preview.0, < 1.11.0-network-topology-preview.3	1.11.0-network-topology-preview.3
volcano.sh/volcano	go	>= 1.11.0, < 1.11.2	1.11.2
volcano.sh/volcano	go	>= 1.12.0-alpha.0, < 1.12.0-alpha.2	1.12.0-alpha.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description states that an attacker can cause a denial of service by sending unbounded responses from either the Elastic service or an extender plugin. The provided commits (e.g., 45a4347471a5254121d10afef04c6732095fa398) show identical patches applied across different versions/branches. These patches introduce http.MaxBytesReader to limit the size of the HTTP response body being read and decoded.

In pkg/scheduler/metrics/source/metrics_client_elasticsearch.go, the function (*ElasticsearchMetricsClient).NodeMetricsAvg is responsible for making requests to Elasticsearch and decoding the response. The patch adds http.MaxBytesReader before json.NewDecoder(res.Body).Decode(&r). This indicates that NodeMetricsAvg was previously vulnerable to unbounded responses from Elasticsearch.
In pkg/scheduler/plugins/extender/extender.go, the function (*extenderPlugin).send is responsible for sending requests to an extender and decoding its response. The patch adds http.MaxBytesReader before json.NewDecoder(resp.Body).Decode(result). This indicates that send was previously vulnerable to unbounded responses from the extender plugin.

Both functions directly handle HTTP responses from external services (Elasticsearch and extender plugins) and were modified to limit the response size, which is the core of the described vulnerability. Therefore, these are the functions that would be involved when the vulnerability is triggered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-32777: Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin

Impact

Workarounds

CVE-2025-32777:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Basic Information

Basic Information

Technical Details

CVE-2025-32777: Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin

Impact

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI