Skip to main content

CVE-2025-9566

HIGH
Path Traversal (CWE-22)
2025-09-05 secalert@redhat.com GHSA-wp3j-xq48-xpjw
8.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 19, 2026 - 20:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 19, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 18:30 vuln.today
CVE Published
Sep 05, 2025 - 20:15 nvd
HIGH 8.1

DescriptionCVE.org

There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.

Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1

AnalysisAI

Podman versions 4.0.0 through 5.6.0 allow authenticated remote attackers to overwrite arbitrary host files via symlink-based path traversal during 'kube play' operations. Attackers with low-privilege Kubernetes YAML deployment rights can craft Secret or ConfigMap volume mounts containing symlinks that redirect writes to host filesystem targets. While attackers control which file is overwritten, they cannot control the written content, enabling denial-of-service or integrity attacks against critical system files. Fixed in v5.6.1 with extensive Red Hat advisory coverage across RHEL distributions. EPSS score of 0.05% (15th percentile) suggests low observed exploitation probability despite confirmed patch availability.

Technical ContextAI

Podman is a daemonless container engine for developing, managing, and running OCI containers. The 'podman kube play' command applies Kubernetes YAML manifests to create containers/pods, supporting Secret and ConfigMap volume mounts similar to Kubernetes. The vulnerability stems from improper path validation (CWE-22: Path Traversal) when processing volume mount paths from untrusted YAML. If a Secret or ConfigMap contains a symbolic link pointing outside the intended volume directory, Podman follows the symlink during file write operations, allowing writes to arbitrary host paths. The attacker's ability to control the target path but not the content suggests the vulnerability occurs during metadata or placeholder file creation rather than full content injection. Introduced in v4.0.0 when kube play support was enhanced, affecting all podman versions in the 4.x and 5.0-5.6.0 release lines. The CVSS vector (AV:N/AC:L/PR:L/UI:N) reflects that exploitation requires authenticated access to submit Kubernetes manifests but otherwise has low attack complexity.

Affected ProductsAI

Podman container engine versions 4.0.0 through 5.6.0 are vulnerable. Fixed in upstream version 5.6.1 and later. Red Hat Enterprise Linux distributions received patches via multiple advisories: RHBA-2025:15692, RHBA-2025:15712, RHBA-2025:16158, RHBA-2025:16163, RHEA-2025:4782 (bug/enhancement advisories), and security updates RHSA-2025:15900, RHSA-2025:15901, RHSA-2025:15904, RHSA-2025:16480, RHSA-2025:16481, RHSA-2025:16482, RHSA-2025:16488, RHSA-2025:16515, RHSA-2025:16724, RHSA-2025:17669. Exact RHEL version coverage available at respective Red Hat advisory URLs. Non-Red Hat distributions packaging podman 4.0.0-5.6.0 should consult upstream release notes and distribution security trackers.

RemediationAI

Upgrade podman to version 5.6.1 or later from upstream GitHub releases (https://github.com/containers/podman/releases). Red Hat Enterprise Linux users should apply relevant RHSA advisories corresponding to their distribution version-consult https://access.redhat.com/errata/ with the RHSA identifiers listed above to download patches via yum/dnf update. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Restrict 'podman kube play' command execution to trusted administrators only via sudo policies or SELinux/AppArmor confinement-reduces usability for development workflows requiring self-service container deployment. (2) Implement mandatory YAML manifest review/approval before execution, scanning for volume mounts with suspicious paths or symlink references-adds operational overhead and delays deployment velocity. (3) Run podman in user namespaces with restricted filesystem capabilities, limiting write access to sensitive host paths-may break legitimate use cases requiring host volume mounts. (4) Deploy podman in isolated environments (containers, VMs) with minimal writable host filesystems exposed-increases infrastructure complexity. No complete workaround exists without patching; all mitigations trade security for reduced functionality or increased operational burden.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.94 Affected
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.82 Affected
Container suse/sl-micro/6.1/base-os-container:2.2.1-5.105 Affected
Container suse/sle-micro/5.5:2.0.4-5.5.390 Image SLES15-SP5-Manager-Proxy-5-0-BYOS Image SLES15-SP5-Manager-Proxy-5-0-BYOS-Azure Image SLES15-SP5-Manager-Proxy-5-0-BYOS-EC2 Image SLES15-SP5-Manager-Proxy-5-0-BYOS-GCE Image SLES15-SP5-Manager-Server-5-0 Image SLES15-SP5-Manager-Server-5-0-Azure-llc Image SLES15-SP5-Manager-Server-5-0-Azure-ltd Image SLES15-SP5-Manager-Server-5-0-BYOS Image SLES15-SP5-Manager-Server-5-0-BYOS-Azure Image SLES15-SP5-Manager-Server-5-0-BYOS-EC2 Image SLES15-SP5-Manager-Server-5-0-BYOS-GCE Image SLES15-SP5-Manager-Server-5-0-EC2-llc Image SLES15-SP5-Manager-Server-5-0-EC2-ltd Image SLES15-SP5-Micro-5-5 Image SLES15-SP5-Micro-5-5-Azure Image SLES15-SP5-Micro-5-5-BYOS Image SLES15-SP5-Micro-5-5-BYOS-Azure Image SLES15-SP5-Micro-5-5-BYOS-EC2 Image SLES15-SP5-Micro-5-5-BYOS-GCE Image SLES15-SP5-Micro-5-5-EC2 Image SLES15-SP5-Micro-5-5-GCE Affected

Share

CVE-2025-9566 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy