Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-4p3p-cr38-v5xp

Опубликовано: 13 окт. 2025
Источник: github
Github: Прошло ревью
CVSS3: 5.3

Описание

Omni is Vulnerable to DoS via Empty Create/Update Resource Requests

Summary

A nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints.

Details

The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault.

Vulnerable Code

The isSensitiveSpec function in /src/internal/backend/server.go:

func isSensitiveSpec(resource *resapi.Resource) bool { res, err := grpcomni.CreateResource(resource) // No nil check on resource.Metadata if err != nil { return false } // ... rest of function }

The CreateResource function expects resource.Metadata to be non-nil:

func CreateResource(resource *resources.Resource) (cosiresource.Resource, error) { if resource.Metadata.Version == "" { // PANIC: nil pointer dereference resource.Metadata.Version = "1" } // ... rest of function }

The UpdateResource function has the same issue - it also calls CreateResource internally and expects resource.Metadata to be non-nil:

func (s *ResourceServer) Update(ctx context.Context, in *resapi.UpdateRequest) (*resapi.UpdateResponse, error) { // ... validation code ... obj, err := CreateResource(in.Resource) // Same vulnerability here if err != nil { return nil, err } // ... rest of function }

Affected Endpoints

  • resourceServerCreate - Create Resource API endpoint
  • resourceServerUpdate - Update Resource API endpoint

Both endpoints call isSensitiveSpec which triggers the vulnerability when processing empty resources.

PoC

Send empty resource requests to the affected API endpoints:

# Create endpoint curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Create" \ -H "Content-Type: application/json" \ -d '{}' # Update endpoint curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Update" \ -H "Content-Type: application/json" \ -d '{}'

Expected Result: Server panic with segmentation fault:

panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x293d970] goroutine 3305 [running]: github.com/siderolabs/omni/internal/backend/grpc.CreateResource(0x3495420?) /src/internal/backend/grpc/resource.go:364 +0x20

Impact

  • Vulnerability Type: Denial of Service (DoS)
  • Severity: High - Complete API server crash requiring manual restart if no restart policy is applied.
  • Authentication: None required (unauthenticated)
  • Complexity: Low (simple HTTP request)

Mitigation

Add nil checks in the isSensitiveSpec function:

func isSensitiveSpec(resource *resapi.Resource) bool { if resource == nil || resource.Metadata == nil { return false } res, err := grpcomni.CreateResource(resource) if err != nil { return false } // ... rest of function }

Credits

  • @1c3t0rm
  • @nicomda

Ссылки

Пакеты

Наименование

github.com/siderolabs/omni

go
Затронутые версииВерсия исправления

>= 1.1.0-beta.0, <= 1.1.4

1.1.5

Наименование

github.com/siderolabs/omni

go
Затронутые версииВерсия исправления

<= 1.0.1

1.0.2

EPSS

Процентиль: 44%
0.00213
Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-59836

Дефекты

CWE-476

Связанные уязвимости

nvd логотип

CVE-2025-59836

CVSS3: 5.3
nvd
4 месяца назад

Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2.

EPSS

Процентиль: 44%
0.00213
Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-59836

Дефекты

CWE-476