Nil Pointer Dereference Vulnerability in Omni Resource Service
CVE-2025-59836

5.3MEDIUM

Key Information:

Vendor

Siderolabs

Status
Omni
Vendor
CVE Published:
13 October 2025

What is CVE-2025-59836?

The Omni Resource Service, which manages Kubernetes deployments across various infrastructures, contains a vulnerability that allows unauthenticated users to induce a server panic and result in a denial of service. This issue arises from the handling of empty metadata fields when creating or updating resources via API endpoints. The function responsible, isSensitiveSpec, fails to verify the integrity of metadata before invoking the CreateResource method, leading to accidental segmentation faults when the metadata is nil. This flaw is rectified in versions 1.1.5 and 1.0.2.

Affected Version(s)

omni >= 1.1.0-beta.0, < 1.1.5 < 1.1.0-beta.0, 1.1.5

omni < 1.0.2 < 1.0.2

References

https://github.com/siderolabs/omni/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/siderolabs/omni/commit/1396083f766a1b0...
x_refsource_MISC
https://github.com/siderolabs/omni/commit/1fd954af64985a8...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.