NotCVE-2025-0003
Symlink Race in Kubernetes Volume Cleanup Enables Host Filesystem Deletion
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Kubernetes releases compiled with vulnerable Go versions (prior to Go 1.21.11 / 1.22.4) are affected by a race condition in the os.RemoveAll function used during volume cleanup. A malicious container can exploit this by timing a symbolic link replacement to redirect the deletion operation outside the intended volume path. This can result in deletion of arbitrary files or directories on the host system, including data from other pods or host volumes, leading to data loss and potential privilege escalation.
This NotCVE is distinct from the Go NotCVE-2025-0004 because:
- Kubernetes embeds the vulnerable Go code,
- Exposes it in a privileged execution context (volume cleanup),
- And provides a defined remediation path (rebuild with fixed Go).
*Credits:
Reported by: Igor Agievich
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-06-28 CVE Reserved
- 2025-06-30 CVE Published
- 2025-06-30 CVE Updated
- 2025-06-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-363: Race Condition Enabling Link Following
CAPEC
- CAPEC-27: Leveraging Race Conditions via Symbolic Links
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/kubernetes/kubernetes/issues/132267 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | >= 1.27.0 < 1.30.0 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.27.0 < 1.30.0" | - |
Affected
| ||||||