CVE-2025-59836 (GCVE-0-2025-59836)

Vulnerability from cvelistv5

Published

2025-10-13 20:43

Modified

2025-10-14 14:28

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-703 - Improper Check or Handling of Exceptional Conditions
CWE-476 - NULL Pointer Dereference

Summary

Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2.

References

URL

Tags

	security-advisories@github.com	https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa
	security-advisories@github.com	https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae
	security-advisories@github.com	https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp

Impacted products

	Vendor	Product	Version
	siderolabs	omni	Version: >= 1.1.0-beta.0, < 1.1.5 Version: < 1.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59836",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-14T14:28:04.746854Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-14T14:28:17.108Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "omni",
          "vendor": "siderolabs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.1.0-beta.0, \u003c 1.1.5"
            },
            {
              "status": "affected",
              "version": "\u003c 1.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource\u0027s metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-703",
              "description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476: NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-13T20:45:48.663Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp"
        },
        {
          "name": "https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa"
        },
        {
          "name": "https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae"
        }
      ],
      "source": {
        "advisory": "GHSA-4p3p-cr38-v5xp",
        "discovery": "UNKNOWN"
      },
      "title": "Omni is Vulnerable to DoS via Empty Create/Update Resource Requests"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-59836",
    "datePublished": "2025-10-13T20:43:40.844Z",
    "dateReserved": "2025-09-22T14:34:03.471Z",
    "dateUpdated": "2025-10-14T14:28:17.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-59836\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-13T21:15:34.457\",\"lastModified\":\"2025-10-14T19:36:29.240\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource\u0027s metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"},{\"lang\":\"en\",\"value\":\"CWE-703\"}]}],\"references\":[{\"url\":\"https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Omni is Vulnerable to DoS via Empty Create/Update Resource Requests\", \"source\": {\"advisory\": \"GHSA-4p3p-cr38-v5xp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"siderolabs\", \"product\": \"omni\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.1.0-beta.0, \u003c 1.1.5\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp\", \"name\": \"https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa\", \"name\": \"https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae\", \"name\": \"https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource\u0027s metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-703\", \"description\": \"CWE-703: Improper Check or Handling of Exceptional Conditions\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476: NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-10-13T20:45:48.663Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59836\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-14T14:28:04.746854Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-10-14T14:28:13.138Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-59836\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-13T20:45:48.663Z\", \"dateReserved\": \"2025-09-22T14:34:03.471Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-10-13T20:43:40.844Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-59836

Vulnerability from fkie_nvd

Published

2025-10-13 21:15

Modified

2025-10-14 19:36

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa
	security-advisories@github.com	https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae
	security-advisories@github.com	https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource\u0027s metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2."
    }
  ],
  "id": "CVE-2025-59836",
  "lastModified": "2025-10-14T19:36:29.240",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-13T21:15:34.457",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        },
        {
          "lang": "en",
          "value": "CWE-703"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-4p3p-cr38-v5xp

Vulnerability from github

Published

2025-10-13 19:59

Modified

2025-10-13 22:09

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

Omni is Vulnerable to DoS via Empty Create/Update Resource Requests

Details

Summary

A nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints.

Details

The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault.

Vulnerable Code

The isSensitiveSpec function in /src/internal/backend/server.go:

go func isSensitiveSpec(resource *resapi.Resource) bool { res, err := grpcomni.CreateResource(resource) // No nil check on resource.Metadata if err != nil { return false } // ... rest of function }

The CreateResource function expects resource.Metadata to be non-nil:

go func CreateResource(resource *resources.Resource) (cosiresource.Resource, error) { if resource.Metadata.Version == "" { // PANIC: nil pointer dereference resource.Metadata.Version = "1" } // ... rest of function }

The UpdateResource function has the same issue - it also calls CreateResource internally and expects resource.Metadata to be non-nil:

go func (s *ResourceServer) Update(ctx context.Context, in *resapi.UpdateRequest) (*resapi.UpdateResponse, error) { // ... validation code ... obj, err := CreateResource(in.Resource) // Same vulnerability here if err != nil { return nil, err } // ... rest of function }

Affected Endpoints

resourceServerCreate - Create Resource API endpoint
resourceServerUpdate - Update Resource API endpoint

Both endpoints call isSensitiveSpec which triggers the vulnerability when processing empty resources.

PoC

Send empty resource requests to the affected API endpoints:

```bash

Create endpoint

curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Create" \ -H "Content-Type: application/json" \ -d '{}'

Update endpoint

curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Update" \ -H "Content-Type: application/json" \ -d '{}' ```

Expected Result: Server panic with segmentation fault:

``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x293d970]

goroutine 3305 [running]: github.com/siderolabs/omni/internal/backend/grpc.CreateResource(0x3495420?) /src/internal/backend/grpc/resource.go:364 +0x20 ```

Impact

Vulnerability Type: Denial of Service (DoS)
Severity: High - Complete API server crash requiring manual restart if no restart policy is applied.
Authentication: None required (unauthenticated)
Complexity: Low (simple HTTP request)

Mitigation

Add nil checks in the isSensitiveSpec function:

go func isSensitiveSpec(resource *resapi.Resource) bool { if resource == nil || resource.Metadata == nil { return false } res, err := grpcomni.CreateResource(resource) if err != nil { return false } // ... rest of function }

Credits

@1c3t0rm
@nicomda

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siderolabs/omni"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0-beta.0"
            },
            {
              "fixed": "1.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siderolabs/omni"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-13T19:59:17Z",
    "nvd_published_at": "2025-10-13T21:15:34Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints.\n\n## Details\n\nThe vulnerability exists in the `isSensitiveSpec` function which calls `grpcomni.CreateResource` without checking if the resource\u0027s metadata field is nil. When a resource is created with an empty `Metadata` field, the `CreateResource` function attempts to access `resource.Metadata.Version` causing a segmentation fault.\n\n### Vulnerable Code\n\nThe `isSensitiveSpec` function in `/src/internal/backend/server.go`:\n\n```go\nfunc isSensitiveSpec(resource *resapi.Resource) bool {\n    res, err := grpcomni.CreateResource(resource)  // No nil check on resource.Metadata\n    if err != nil {\n        return false\n    }\n    // ... rest of function\n}\n```\n\nThe `CreateResource` function expects `resource.Metadata` to be non-nil:\n\n```go\nfunc CreateResource(resource *resources.Resource) (cosiresource.Resource, error) {\n    if resource.Metadata.Version == \"\" {  // PANIC: nil pointer dereference\n        resource.Metadata.Version = \"1\"\n    }\n    // ... rest of function\n}\n```\n\nThe `UpdateResource` function has the same issue - it also calls `CreateResource` internally and expects `resource.Metadata` to be non-nil:\n\n```go\nfunc (s *ResourceServer) Update(ctx context.Context, in *resapi.UpdateRequest) (*resapi.UpdateResponse, error) {\n    // ... validation code ...\n    obj, err := CreateResource(in.Resource)  // Same vulnerability here\n    if err != nil {\n        return nil, err\n    }\n    // ... rest of function\n}\n```\n\n### Affected Endpoints\n\n- `resourceServerCreate` - Create Resource API endpoint\n- `resourceServerUpdate` - Update Resource API endpoint\n\nBoth endpoints call `isSensitiveSpec` which triggers the vulnerability when processing empty resources.\n\n## PoC\n\nSend empty resource requests to the affected API endpoints:\n\n```bash\n# Create endpoint\ncurl -X POST \"https://your-omni-instance/api/omni.resources.ResourceService/Create\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{}\u0027\n\n# Update endpoint  \ncurl -X POST \"https://your-omni-instance/api/omni.resources.ResourceService/Update\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{}\u0027\n```\n\n**Expected Result**: Server panic with segmentation fault:\n\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x293d970]\n\ngoroutine 3305 [running]:\ngithub.com/siderolabs/omni/internal/backend/grpc.CreateResource(0x3495420?)\n        /src/internal/backend/grpc/resource.go:364 +0x20\n```\n\n## Impact\n\n- **Vulnerability Type**: Denial of Service (DoS)\n- **Severity**: High - Complete API server crash requiring manual restart if no restart policy is applied.\n- **Authentication**: None required (unauthenticated)\n- **Complexity**: Low (simple HTTP request)\n\n## Mitigation\n\nAdd nil checks in the `isSensitiveSpec` function:\n\n```go\nfunc isSensitiveSpec(resource *resapi.Resource) bool {\n    if resource == nil || resource.Metadata == nil {\n        return false\n    }\n    res, err := grpcomni.CreateResource(resource)\n    if err != nil {\n        return false\n    }\n    // ... rest of function\n}\n```\n\n## Credits\n- @1c3t0rm\n- @nicomda",
  "id": "GHSA-4p3p-cr38-v5xp",
  "modified": "2025-10-13T22:09:25Z",
  "published": "2025-10-13T19:59:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siderolabs/omni"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Omni is Vulnerable to DoS via Empty Create/Update Resource Requests"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-59836 (GCVE-0-2025-59836)

Vulnerability from cvelistv5

fkie_cve-2025-59836

Vulnerability from fkie_nvd

ghsa-4p3p-cr38-v5xp

Vulnerability from github

Summary

Details

Vulnerable Code

Affected Endpoints

PoC

Create endpoint

Update endpoint

Impact

Mitigation

Credits

Tags

Sightings

Nomenclature