[Security Advisory] Race Condition in Go allows Volume Deletion in older Kubernetes versions

54 views

Skip to first unread message

Craig Ingram

unread,

Jun 17, 2025, 9:22:35 AMJun 17

to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributors-announce

Hello Kubernetes Community,

The Go team has released a fix in Go versions 1.21.11 and 1.22.4 addressing a symlink race condition when using os.RemoveAll. The Kubernetes Security Response Committee received a report that this issue could be abused in Kubernetes to delete arbitrary directories on a Node with root permissions by a local non-root user with the same UID as the user in a Pod.

The Go team has not issued a CVE for this, as it is considered a hardening issue, and the SRC is following that decision as well.

Am I affected?

Kubernetes built with Go versions prior to 1.21.11 or 1.22.4 are affected.

Affected Versions

- <1.30.2

- <1.29.6

- <1.28.11

- <1.27.15

How do I mitigate this issue?

Upgrade to a fixed (or newer) version of Kubernetes.

Fixed Versions

- 1.30.2+

- 1.29.6+

- 1.28.11+

- 1.27.15+

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/

Detection

This issue could be detected by looking for unexpected file deletions on a Node.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/132267

Acknowledgements

This issue was reported by Addison Crump

Thank You,

Craig Ingram on behalf of the Kubernetes Security Response Committee

Reply all

Reply to author

Forward

0 new messages