Skip to content

CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API #130016

New issue
New issue
Closed
Closed
CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API#130016
Labels
area/kubeletarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/nodeCategorizes an issue or PR as relevant to SIG Node.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@cji

Description

@cji
cji
opened on Feb 6, 2025

CVSS Rating: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.

Am I vulnerable?

All clusters running an affected version listed below with the kubelet read-only HTTP port enabled and using a container runtime that supports the container checkpointing feature, such as CRI-O v1.25.0+ (with enable_criu_support set to true) or containerd v2.0+ with criu installed, are affected.

Affected Versions

  • kubelet v1.32.0 to v1.32.1
  • kubelet v1.31.0 to v1.31.5
  • kubelet v1.30.0 to v1.30.9

How do I mitigate this vulnerability?

This issue can be mitigated by setting the ContainerCheckpoint feature gate to false in your kubelet configuration, disabling the kubelet read-only port, and limiting access to the kubelet API, or upgrading to a fixed version listed below, which enforces authentication for the kubelet Checkpoint API.

Fixed Versions

Detection

A large number of requests to the kubelet read-only HTTP server's /checkpoint endpoint, or a large number of checkpoints stored (by default) under /var/lib/kubelet/checkpoints on a Node may indicate an attempted Denial of Service attack using this bug.

If you find evidence that this vulnerability has been exploited, please contact [email protected]

Acknowledgements

This vulnerability was reported and fixed by Tim Allclair @tallclair from Google.

The issue was coordinated by:

Tim Allclair @tallclair
Sascha Grunert saschagrunert@
Craig Ingram @cji
Jordan Liggitt liggitt@

/triage accepted
/lifecycle frozen
/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig node
/area kubelet

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/kubeletarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/nodeCategorizes an issue or PR as relevant to SIG Node.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions