CVE-2025-2586
Published: 31 March 2025
Description
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Security Summary
CVE-2025-2586 is a vulnerability in the OpenShift Lightspeed Service that enables unauthenticated API request flooding. Attackers can send repeated queries to non-existent endpoints, which inflates metrics storage and processing, resulting in excessive resource consumption. This leads to monitoring system degradation, increased disk usage, and potential service unavailability. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).
Any external attacker can exploit this vulnerability without authentication, requiring only network access and low complexity. Successful exploitation allows the attacker to exhaust CPU, RAM, and disk space on the affected system, thereby degrading monitoring capabilities and potentially causing broader impacts on application and cluster stability, up to service unavailability.
Mitigation details are available in the official advisories, including the Red Hat security page at https://access.redhat.com/security/cve/CVE-2025-2586 and the Bugzilla tracking entry at https://bugzilla.redhat.com/show_bug.cgi?id=2353998.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables direct exploitation via unauthenticated API request flooding to non-existent endpoints, causing application-level resource exhaustion (CPU, RAM, disk) and service unavailability, which maps precisely to Application Exhaustion Flood.