{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32777", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-10T12:51:12.278Z", "datePublished": "2025-04-30T18:27:16.929Z", "dateUpdated": "2025-05-01T18:51:41.932Z"}, "containers": {"cna": {"title": "Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8"}, {"name": "https://github.com/volcano-sh/volcano/releases/tag/v1.10.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.10.2"}, {"name": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3"}, {"name": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.2"}, {"name": "https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2"}, {"name": "https://github.com/volcano-sh/volcano/releases/tag/v1.9.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.9.1"}], "affected": [{"vendor": "volcano-sh", "product": "volcano", "versions": [{"version": ">= 1.11.0, < 1.11.2", "status": "affected"}, {"version": ">= 1.10.0-alpha.0, < 1.10.2", "status": "affected"}, {"version": "< 1.9.1", "status": "affected"}, {"version": ">= 1.11.0-network-topology-preview.0, < 1.11.0-network-topology-preview.3", "status": "affected"}, {"version": ">= 1.12.0-alpha.0, < 1.12.0-alpha.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-30T18:27:16.929Z"}, "descriptions": [{"lang": "en", "value": "Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano's case if they have compromised either the vulnerable services or the pod/node in which they are deployed. The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory. This issue has been patched in versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2."}], "source": {"advisory": "GHSA-hg79-fw4p-25p8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-01T18:51:25.416268Z", "id": "CVE-2025-32777", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T18:51:41.932Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32777", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-01T18:51:25.416268Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T18:51:36.956Z"}}], "cna": {"title": "Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin", "source": {"advisory": "GHSA-hg79-fw4p-25p8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "volcano-sh", "product": "volcano", "versions": [{"status": "affected", "version": ">= 1.11.0, < 1.11.2"}, {"status": "affected", "version": ">= 1.10.0-alpha.0, < 1.10.2"}, {"status": "affected", "version": "< 1.9.1"}, {"status": "affected", "version": ">= 1.11.0-network-topology-preview.0, < 1.11.0-network-topology-preview.3"}, {"status": "affected", "version": ">= 1.12.0-alpha.0, < 1.12.0-alpha.2"}]}], "references": [{"url": "https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8", "name": "https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/volcano-sh/volcano/releases/tag/v1.10.2", "name": "https://github.com/volcano-sh/volcano/releases/tag/v1.10.2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3", "name": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.2", "name": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2", "name": "https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/volcano-sh/volcano/releases/tag/v1.9.1", "name": "https://github.com/volcano-sh/volcano/releases/tag/v1.9.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano's case if they have compromised either the vulnerable services or the pod/node in which they are deployed. The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory. This issue has been patched in versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-30T18:27:16.929Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32777", "state": "PUBLISHED", "dateUpdated": "2025-05-01T18:51:41.932Z", "dateReserved": "2025-04-10T12:51:12.278Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-04-30T18:27:16.929Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano's case if they have compromised either the vulnerable services or the pod/node in which they are deployed. The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory. This issue has been patched in versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2."}, {"lang": "es", "value": "Volcano es un sistema de programaci\u00f3n por lotes nativo de Kubernetes. En versiones anteriores a las 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3 y 1.12.0-alpha.2, si un atacante vulneraba el servicio Elastic o el complemento de extensi\u00f3n, pod\u00eda provocar una denegaci\u00f3n de servicio del programador. Esto supone una escalada de privilegios, ya que los usuarios de Volcano pueden ejecutar su servicio Elastic y los complementos de extensi\u00f3n en pods o nodos separados del programador. En el modelo de seguridad de Kubernetes, el aislamiento de nodos es un l\u00edmite de seguridad y, por lo tanto, un atacante puede cruzarlo en el caso de Volcano si ha comprometido los servicios vulnerables o el pod/nodo en el que est\u00e1n implementados. El programador dejar\u00e1 de estar disponible para otros usuarios y cargas de trabajo del cl\u00faster. El programador se bloquear\u00e1 con un p\u00e1nico de OOM irrecuperable o se congelar\u00e1 consumiendo cantidades excesivas de memoria. Este problema se ha solucionado en las versiones 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3 y 1.12.0-alpha.2."}], "id": "CVE-2025-32777", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-04-30T19:15:55.353", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.10.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.11.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/volcano-sh/volcano/releases/tag/v1.9.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}