Homepage

Race Condition Affecting k8s.io/kubernetes/pkg/controller/namespace/deletion package, versions >=1.3.0 <1.33.0-alpha.3

Severity

 Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Race Condition vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-K8SIOKUBERNETESPKGCONTROLLERNAMESPACEDELETION-9486545
  • published20 Mar 2025
  • disclosed20 Mar 2025
  • creditJohn McGuinness, Aaron Coffey
Report a new vulnerability Found a mistake?

Introduced: 20 Mar 2025

NewCVE-2024-7598  (opens in a new tab)
CWE-362  (opens in a new tab)

How to fix?

Upgrade k8s.io/kubernetes/pkg/controller/namespace/deletion to version 1.33.0-alpha.3 or higher.

Overview

Affected versions of this package are vulnerable to Race Condition during the namespace deletion process in deleteAllContent() in namespaced_resources_deleter.go. An attacker can bypass network restrictions because network policies are deleted before the pods they are meant to protect.

All clusters using the Kubernetes NetworkPolicy API may be vulnerable.

Workaround

This vulnerability can be avoided by manually deleting resources before triggering namespaced resource deletion or by implementing a finalizer policy to enforce safe ordered deletion behavior (see https://github.com/kubernetes-sigs/network-policy-finalizer).

CVSS Base Scores

version 4.0
version 3.1