CVE-2025-32777

April 30, 2025, 7:15 p.m.

8.2
High

Description

Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano's case if they have compromised either the vulnerable services or the pod/node in which they are deployed. The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory. This issue has been patched in versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2.

Product(s) Impacted

Vendor Product Versions
Volcano
  • Volcano
  • <1.11.2, <1.10.2, <1.9.1, <1.11.0-network-topology-preview.3, <1.12.0-alpha.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-770
Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a volcano volcano <1.11.2 / / / / / / /
a volcano volcano <1.10.2 / / / / / / /
a volcano volcano <1.9.1 / / / / / / /
a volcano volcano <1.11.0-network-topology-preview.3 / / / / / / /
a volcano volcano <1.12.0-alpha.2 / / / / / / /

References

https://github.com/volcano-sh/volcano/releases/tag/v1.10.2
https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3
https://github.com/volcano-sh/volcano/releases/tag/v1.11.2
https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2
https://github.com/volcano-sh/volcano/releases/tag/v1.9.1
https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8

Tags

security-advisories@github.com
CWE-770
2025-04-30
CVE-2025-32777

CVSS Score

8.2 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: April 30, 2025, 7:15 p.m.
Last Modified: April 30, 2025, 7:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.