Description

Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2.

INFO

Published Date :

2025-10-13T20:43:40.844Z

Last Modified :

2025-10-14T14:28:17.108Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59836 vulnerability.

Vendors Products
Siderolabs
  • Omni
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59836.

URL Resource
https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa cve-icon cve-icon
https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae cve-icon cve-icon
https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact