{"id":"CVE-2021-25735","details":"A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.","aliases":["GHSA-g42g-737j-qx6j","GO-2022-0907"],"modified":"2026-04-10T04:31:07.288799Z","published":"2021-09-06T12:15:07.617Z","related":["CGA-5rxh-9v6c-96vf","openSUSE-SU-2025:15424-1"],"references":[{"type":"ADVISORY","url":"https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y"},{"type":"FIX","url":"https://github.com/kubernetes/kubernetes/issues/100096"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kubernetes/kubernetes","events":[{"introduced":"0"},{"fixed":"6f6ce59dc8fefde25a3ba0ef0047f4ec6662ef24"},{"introduced":"e19964183377d0ec2052d1f1fa930c4d7575bd50"},{"fixed":"98d5dc5d36d34a7ee13368a7893dcb400ec4e566"},{"introduced":"af46c47ce925f4c4ad5cc8d1fca46c7b77d13b38"},{"fixed":"8a62859e515889f07e3e3be6a1080413f17cf2c3"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.18.18"},{"introduced":"1.19.0"},{"fixed":"1.19.10"},{"introduced":"1.20.0"},{"fixed":"1.20.6"}]}}],"versions":["v0.13.1-dev","v0.17.0","v1.1.0-alpha.0","v1.1.0-alpha.1","v1.10.0-alpha.0","v1.10.0-alpha.1","v1.10.0-alpha.2","v1.10.0-alpha.3","v1.11.0-alpha.0","v1.11.0-alpha.1","v1.11.0-alpha.2","v1.12.0-alpha.0","v1.12.0-alpha.1","v1.13.0-alpha.0","v1.13.0-alpha.1","v1.13.0-alpha.2","v1.13.0-alpha.3","v1.14.0-alpha.0","v1.14.0-alpha.1","v1.14.0-alpha.2","v1.14.0-alpha.3","v1.15.0-alpha.0","v1.15.0-alpha.1","v1.15.0-alpha.2","v1.15.0-alpha.3","v1.16.0-alpha.0","v1.16.0-alpha.1","v1.16.0-alpha.2","v1.16.0-alpha.3","v1.17.0-alpha.0","v1.17.0-alpha.1","v1.17.0-alpha.2","v1.17.0-alpha.3","v1.18.0","v1.18.0-alpha.0","v1.18.0-alpha.1","v1.18.0-alpha.2","v1.18.0-alpha.4","v1.18.0-alpha.5","v1.18.0-beta.0","v1.18.0-beta.1","v1.18.0-beta.2","v1.18.0-rc.1","v1.18.1","v1.18.1-beta.0","v1.18.10","v1.18.10-rc.0","v1.18.11-rc.0","v1.18.12","v1.18.12-rc.1","v1.18.13","v1.18.13-rc.0","v1.18.14","v1.18.14-rc.0","v1.18.14-rc.1","v1.18.15","v1.18.15-rc.0","v1.18.16","v1.18.16-rc.0","v1.18.17","v1.18.17-rc.0","v1.18.18-rc.0","v1.18.2","v1.18.2-beta.0","v1.18.3","v1.18.3-beta.0","v1.18.4","v1.18.4-rc.0","v1.18.5","v1.18.5-rc.0","v1.18.5-rc.1","v1.18.6","v1.18.6-rc.0","v1.18.7-rc.0","v1.18.8","v1.18.8-rc.1","v1.18.9","v1.18.9-rc.0","v1.19.0","v1.19.0-alpha.0","v1.19.1","v1.19.1-rc.0","v1.19.10-rc.0","v1.19.2","v1.19.2-rc.0","v1.19.3","v1.19.3-rc.0","v1.19.4","v1.19.4-rc.0","v1.19.5","v1.19.5-rc.0","v1.19.6","v1.19.6-rc.0","v1.19.6-rc.1","v1.19.7","v1.19.7-rc.0","v1.19.8","v1.19.8-rc.0","v1.19.9","v1.19.9-rc.0","v1.2.0-alpha.1","v1.2.0-alpha.2","v1.2.0-alpha.3","v1.2.0-alpha.4","v1.2.0-alpha.5","v1.2.0-alpha.6","v1.2.0-alpha.7","v1.2.0-alpha.8","v1.20.0","v1.20.1","v1.20.1-rc.0","v1.20.1-rc.1","v1.20.2","v1.20.2-rc.0","v1.20.3","v1.20.3-rc.0","v1.20.4","v1.20.4-rc.0","v1.20.5","v1.20.5-rc.0","v1.20.6-rc.0","v1.3.0-alpha.0","v1.3.0-alpha.1","v1.3.0-alpha.2","v1.3.0-alpha.3","v1.3.0-alpha.4","v1.3.0-alpha.5","v1.4.0-alpha.1","v1.4.0-alpha.2","v1.4.0-alpha.3","v1.5.0-alpha.0","v1.5.0-alpha.1","v1.5.0-alpha.2","v1.6.0-alpha.0","v1.6.0-alpha.1","v1.6.0-alpha.2","v1.6.0-alpha.3","v1.7.0-alpha.0","v1.7.0-alpha.1","v1.7.0-alpha.2","v1.7.0-alpha.3","v1.7.0-alpha.4","v1.8.0-alpha.0","v1.8.0-alpha.1","v1.8.0-alpha.2","v1.8.0-alpha.3","v1.9.0-alpha.0","v1.9.0-alpha.1","v1.9.0-alpha.2","v1.9.0-alpha.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25735.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"}]}