CVE-2025-59836

MEDIUM5.3EPSS 0.56%

Omni is Vulnerable to DoS via Empty Create/Update Resource Requests

Published: 10/13/2025Modified: 11/5/2025

Also known as:GHSA-4p3p-cr38-v5xpGO-2025-4021

Description

## Summary A nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. ## Details The vulnerability exists in the `isSensitiveSpec` function which calls `grpcomni.CreateResource` without checking if the resource's metadata field is nil. When a resource is created with an empty `Metadata` field, the `CreateResource` function attempts to access `resource.Metadata.Version` causing a segmentation fault. ### Vulnerable Code The `isSensitiveSpec` function in `/src/internal/backend/server.go`: ```go func isSensitiveSpec(resource *resapi.Resource) bool { res, err := grpcomni.CreateResource(resource) // No nil check on resource.Metadata if err != nil { return false } // ... rest of function } ``` The `CreateResource` function expects `resource.Metadata` to be non-nil: ```go func CreateResource(resource *resources.Resource) (cosiresource.Resource, error) { if resource.Metadata.Version == "" { // PANIC: nil pointer dereference resource.Metadata.Version = "1" } // ... rest of function } ``` The `UpdateResource` function has the same issue - it also calls `CreateResource` internally and expects `resource.Metadata` to be non-nil: ```go func (s *ResourceServer) Update(ctx context.Context, in *resapi.UpdateRequest) (*resapi.UpdateResponse, error) { // ... validation code ... obj, err := CreateResource(in.Resource) // Same vulnerability here if err != nil { return nil, err } // ... rest of function } ``` ### Affected Endpoints - `resourceServerCreate` - Create Resource API endpoint - `resourceServerUpdate` - Update Resource API endpoint Both endpoints call `isSensitiveSpec` which triggers the vulnerability when processing empty resources. ## PoC Send empty resource requests to the affected API endpoints: ```bash # Create endpoint curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Create" \ -H "Content-Type: application/json" \ -d '{}' # Update endpoint curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Update" \ -H "Content-Type: application/json" \ -d '{}' ``` **Expected Result**: Server panic with segmentation fault: ``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x293d970] goroutine 3305 [running]: github.com/siderolabs/omni/internal/backend/grpc.CreateResource(0x3495420?) /src/internal/backend/grpc/resource.go:364 +0x20 ``` ## Impact - **Vulnerability Type**: Denial of Service (DoS) - **Severity**: High - Complete API server crash requiring manual restart if no restart policy is applied. - **Authentication**: None required (unauthenticated) - **Complexity**: Low (simple HTTP request) ## Mitigation Add nil checks in the `isSensitiveSpec` function: ```go func isSensitiveSpec(resource *resapi.Resource) bool { if resource == nil || resource.Metadata == nil { return false } res, err := grpcomni.CreateResource(resource) if err != nil { return false } // ... rest of function } ``` ## Credits - @1c3t0rm - @nicomda

Affected packages (2)

Go/github.com/siderolabs/omni>= 1.1.0-beta.0, < 1.1.5
Go/github.com/siderolabs/omnifrom 0, < 1.0.2, >= 1.1.0-beta.0, < 1.1.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

Affected packages (2)

CVSS scores

References (6)