Primary

Context

Volcano Unbounded HTTP Request Body Size Vulnerability in Webhook Server Leading to Denial-of-Service

Vulnerability

Patched

A denial-of-service vulnerability has been identified in the Volcano batch scheduling system for Kubernetes, affecting versions prior to v1.14.2, v1.13.3, and v1.12.4. The issue arises because the Volcano webhook server does not limit the size of incoming HTTP request bodies. This lack of restriction allows any in-cluster pod with access to the webhook endpoint to send excessively large request bodies, potentially causing the webhook server to be terminated due to out-of-memory conditions. All Volcano deployments with the webhook server accessible to in-cluster traffic are vulnerable.

Impact

Exploitation of this vulnerability can lead to the Volcano webhook server being killed due to out-of-memory conditions, causing a denial-of-service effect on the webhook functionality.

Remediation

Users should upgrade to Volcano versions v1.14.2, v1.13.3, or v1.12.4.

Added: May 28, 2026, 3:11 AM

Updated: May 28, 2026, 3:11 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

3.5

remediation

0.0

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

3.5

remediation

0.0

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Volcano Unbounded HTTP Request Body Size Vulnerability in Webhook Server Leading to Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

Volcano

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating