CVE-2025-2586
Published: 31 March 2025
Summary
CVE-2025-2586 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 44.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 directly implements denial-of-service protections at system entry points to block unauthenticated API request flooding and prevent resource exhaustion.
SC-6 protects resource availability through controls like rate limiting and quotas to mitigate excessive CPU, RAM, and disk consumption from repeated queries to non-existent endpoints.
SC-14 enforces limitations on public access to unauthenticated interfaces, reducing the attack surface for external flooding of the OpenShift Lightspeed Service API.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables direct exploitation via unauthenticated API request flooding to non-existent endpoints, causing application-level resource exhaustion (CPU, RAM, disk) and service unavailability, which maps precisely to Application Exhaustion Flood.
NVD Description
A flaw was found in the OpenShift Lightspeed Service, which is vulnerable to unauthenticated API request flooding. Repeated queries to non-existent endpoints inflate metrics storage and processing, consuming excessive resources. This issue can lead to monitoring system degradation, increased disk…
more
usage, and potential service unavailability. Since the issue does not require authentication, an external attacker can exhaust CPU, RAM, and disk space, impacting both application and cluster stability.
Deeper analysisAI
CVE-2025-2586 is a vulnerability in the OpenShift Lightspeed Service that enables unauthenticated API request flooding. Attackers can send repeated queries to non-existent endpoints, which inflates metrics storage and processing, resulting in excessive resource consumption. This leads to monitoring system degradation, increased disk usage, and potential service unavailability. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).
Any external attacker can exploit this vulnerability without authentication, requiring only network access and low complexity. Successful exploitation allows the attacker to exhaust CPU, RAM, and disk space on the affected system, thereby degrading monitoring capabilities and potentially causing broader impacts on application and cluster stability, up to service unavailability.
Mitigation details are available in the official advisories, including the Red Hat security page at https://access.redhat.com/security/cve/CVE-2025-2586 and the Bugzilla tracking entry at https://bugzilla.redhat.com/show_bug.cgi?id=2353998.
Details
- CWE(s)