Notice of Kubernetes Security Vulnerability (CVE-2025-0426)
CVE-2025-0426 is a DoS vulnerability found in Kubernetes, impacting the kubelet read-only HTTP port. By sending numerous checkpoint requests to the endpoint, an attacker can rapidly fill up the node's disk space, leading to a denial of service on the node.
Vulnerability Details
|
Type |
CVE-ID |
Severity |
Discovered |
|---|---|---|---|
|
Denial of service |
Medium |
2025-02-13 |
Impact
This vulnerability affects kubelet of the following versions:
- v1.32.0 and v1.32.1
- v1.31.0 to v1.31.5
- v1.30.0 and v1.30.9
The ContainerCheckpoint feature gate is disabled by default in kubelet v1.25 to v1.29, so the vulnerability will not be activated.
This vulnerability can affect Kubernetes clusters that have the kubelet read-only HTTP port enabled and use a container runtime supporting container checkpointing, such as containerd v2.0 and later or Docker v1.13 and later with Checkpoint/Restore In Userspace (CRIU) enabled.
The containerd versions used by CCE Autopilot clusters are v1.6 and v1.7, and CRIU is not enabled by default, so CCE Autopilot clusters are not affected by this vulnerability.
Identification Method
If the HTTP read-only port of kubelet receives a large number of requests for the /checkpoint interface, an attacker may be exploiting this vulnerability to launch a DoS attack.
Solution
CRIU is not enabled for CCE Autopilot clusters. Therefore, the CVE-2025-0426 vulnerability is not triggered. Do not enable CRIU. In addition, CCE will incorporate the community code to fix this issue in the new version. Keep an eye out for CCE Autopilot Cluster Patch Release History.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
