CVE-2025-2586 HIGH

CVE-2025-2586: Ols: unauthenticated metrics flooding in openshift lightspeed service leading to resource exhaustion

Vendor Red Hat
Product OpenShift Lightspeed
Weakness CWE-400
Published March 31, 2025
Last update November 20, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A flaw was found in the OpenShift Lightspeed Service, which is vulnerable to unauthenticated API request flooding. Repeated queries to non-existent endpoints inflate metrics storage and processing, consuming excessive resources. This issue can lead to monitoring system degradation, increased disk usage, and potential service unavailability. Since the issue does not require authentication, an external attacker can exhaust CPU, RAM, and disk space, impacting both application and cluster stability.

Key dates

02Disclosure timeline

March 31, 2025 CVE published
November 20, 2025 Record updated