Denial of Service Vulnerability in Volcano by Volcano
CVE-2025-32777

8.2HIGH

Key Information:

Vendor

Volcano-sh

Status
Volcano
Vendor
CVE Published:
30 April 2025

What is CVE-2025-32777?

A denial of service vulnerability exists in the Volcano Kubernetes batch scheduling system prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2. The vulnerability allows an attacker who compromises either the Elastic service or the extender plugin to disrupt the availability of the scheduler. This incident can lead to a scenario where the scheduler either crashes due to an unrecoverable Out of Memory (OOM) panic or becomes unresponsive while excessively consuming resources. It is crucial for users to update to the patched versions to protect their Kubernetes environments from potential exploits that could compromise workflow efficiency and access.

Affected Version(s)

volcano >= 1.11.0, < 1.11.2 < 1.11.0, 1.11.2

volcano >= 1.10.0-alpha.0, < 1.10.2 < 1.10.0-alpha.0, 1.10.2

volcano < 1.9.1 < 1.9.1

References

https://github.com/volcano-sh/volcano/security/advisories...
x_refsource_CONFIRM
https://github.com/volcano-sh/volcano/releases/tag/v1.10.2
x_refsource_MISC
https://github.com/volcano-sh/volcano/releases/tag/v1.11....
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.