CVE-2025-32777: Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin
First published: Wed Apr 30 2025(Updated: )
### Impact This issue allows an attacker who has compromised either the Elastic service or the extender plugin to cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano's case if they have compromised either the vulnerable services or the pod/node in which they are deployed. The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory. ### Workarounds No
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/volcano.sh/volcano | >=1.12.0-alpha.0<1.12.0-alpha.2 | 1.12.0-alpha.2 |
| go/volcano.sh/volcano | >=1.11.0<1.11.2 | 1.11.2 |
| go/volcano.sh/volcano | >=1.11.0-network-topology-preview.0<1.11.0-network-topology-preview.3 | 1.11.0-network-topology-preview.3 |
| go/volcano.sh/volcano | >=1.10.0-alpha.0<1.10.2 | 1.10.2 |
| go/volcano.sh/volcano | <1.9.1 | 1.9.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/volcano-sh/volcano/security/advisories/GHSA-hg79-fw4p-25p8
- https://github.com/volcano-sh/volcano/releases/tag/v1.10.2
- https://github.com/volcano-sh/volcano/releases/tag/v1.11.0-network-topology-preview.3
- https://github.com/volcano-sh/volcano/releases/tag/v1.11.2
- https://github.com/volcano-sh/volcano/releases/tag/v1.12.0-alpha.2
- https://github.com/volcano-sh/volcano/releases/tag/v1.9.1
- https://github.com/volcano-sh/volcano/commit/45a4347471a5254121d10afef04c6732095fa398
- https://github.com/volcano-sh/volcano/commit/7103c18de19821cd278f949fa24c13da350a8c5d
- https://github.com/volcano-sh/volcano/commit/735842af59b9be0da5090677db7693c98a798b2a
- https://github.com/volcano-sh/volcano/commit/7c0ea53fa3cfa7a05b5fba7a8af7bfe88adc41c3
- https://github.com/volcano-sh/volcano/commit/d687f75a11fa36f37b54e4b6ff8e49bc0a3ca6b4
- https://nvd.nist.gov/vuln/detail/CVE-2025-32777
- https://github.com/advisories/GHSA-hg79-fw4p-25p8 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-32777?
CVE-2025-32777 is classified as a privilege escalation vulnerability that can lead to denial of service.
How do I fix CVE-2025-32777?
To fix CVE-2025-32777, upgrade to Volcano version 1.12.0-alpha.2, 1.11.2, 1.11.0-network-topology-preview.3, 1.10.2, or 1.9.1 as applicable.
What vulnerabilities does CVE-2025-32777 affect?
CVE-2025-32777 affects specific versions of the Volcano software including versions below 1.12.0-alpha.2.
What are the potential impacts of CVE-2025-32777?
The potential impacts of CVE-2025-32777 include service disruption and privilege escalation within the scheduler.
Who is impacted by CVE-2025-32777?
Users of the Volcano software running Elastic services or extender plugins in separate pods or nodes may be impacted by CVE-2025-32777.
- agent/weakness
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/description
- agent/type
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- agent/source
- collector/nvd-cve
- agent/references
- agent/last-modified-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hg79-fw4p-25p8
- alias/CVE-2025-32777
- agent/software-canonical-lookup
- agent/tags
- agent/event
- package-manager/go