CVE-2025-2586

A flaw was found in the OpenShift Lightspeed Service, which is vulnerable to unauthenticated API request flooding. Repeated queries to non-existent endpoints inflate metrics storage and processing, consuming excessive resources. This issue can lead to monitoring system degradation, increased disk usage, and potential service unavailability. Since the issue does not require authentication, an external attacker can exhaust CPU, RAM, and disk space, impacting both application and cluster stability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2025-2586
https://bugzilla.redhat.com/show_bug.cgi?id=2353998

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se detectó una falla en el servicio OpenShift Lightspeed, vulnerable a la inundación de solicitudes de API no autenticadas. Las consultas repetidas a endpoints inexistentes inflan el almacenamiento y el procesamiento de métricas, consumiendo recursos excesivos. Este problema puede provocar la degradación del sistema de monitorización, un mayor uso del disco y la posible indisponibilidad del servicio. Dado que el problema no requiere autenticación, un atacante externo puede agotar la CPU, la RAM y el espacio en disco, lo que afecta la estabilidad tanto de la aplicación como del clúster.

31 Mar 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-31 12:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-2586

Mitre link : CVE-2025-2586

CVE.ORG link : CVE-2025-2586

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

7.5 /10