CVE-2025-32777

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-32777
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32777.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32777
Aliases
Published
2025-04-30T18:27:16.929Z
Modified
2025-12-05T08:55:07.186865Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin
Details

Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano's case if they have compromised either the vulnerable services or the pod/node in which they are deployed. The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory. This issue has been patched in versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32777.json",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/volcano-sh/volcano

Affected ranges

Type
GIT
Repo
https://github.com/volcano-sh/volcano
Events
Introduced
f1141171980bee89114c9be3f0e3c1472848e0b0
Fixed
735842af59b9be0da5090677db7693c98a798b2a
Database specific 
{
    "versions": [
        {
            "introduced": "1.11.0"
        },
        {
            "fixed": "1.11.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/volcano-sh/volcano
Events
Introduced
42749d14ed08376067f2360d0fcd969bc17f0d52
Fixed
ca2dbb36bb41232afd68a7ced85451a7f3b9f12a
Database specific 
{
    "versions": [
        {
            "introduced": "1.10.0-alpha.0"
        },
        {
            "fixed": "1.10.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/volcano-sh/volcano
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e9690aa65a59383b17e607b0c33938b980f5facc
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.9.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/volcano-sh/volcano
Events
Introduced
1d69621747a17d2d1061ec075427beb6f6ea85a2
Fixed
6b7b5df16414213aa8021c684a2a99b0f36f44de
Database specific 
{
    "versions": [
        {
            "introduced": "1.11.0-network-topology-preview.0"
        },
        {
            "fixed": "1.11.0-network-topology-preview.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/volcano-sh/volcano
Events
Introduced
b6eae3fa85854d520ed503c0ea6a6ea62a5d4d47
Fixed
7103c18de19821cd278f949fa24c13da350a8c5d
Database specific 
{
    "versions": [
        {
            "introduced": "1.12.0-alpha.0"
        },
        {
            "fixed": "1.12.0-alpha.2"
        }
    ]
}

Affected versions

v0.*

v0.1

v1.*

v1.10.0
v1.10.0-alpha.0
v1.10.1
v1.11.0
v1.11.0-network-topology-preview.0
v1.11.0-network-topology-preview.2
v1.11.1
v1.12.0-alpha.0
v1.12.0-alpha.1
v1.3.0
v1.4.0-Beta
v1.8.0-alpha.0
v1.9.0
v1.9.0-alpha.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32777.json"