CVE-2025-9566

HIGH
2025-09-05 [email protected] GHSA-wp3j-xq48-xpjw
8.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 18:30 vuln.today
CVE Published
Sep 05, 2025 - 20:15 nvd
HIGH 8.1

Tags

Linux Docker Path Traversal Redhat Suse

Description

There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1

Analysis

A path traversal vulnerability in Podman allows attackers with low-privileged access to overwrite arbitrary files on the host system when using the 'kube play' command with maliciously crafted Kubernetes manifests containing Secret or ConfigMap volume mounts with symbolic links. While the attacker cannot control the content written to the target file, they can cause denial of service or integrity issues by overwriting critical system files. The vulnerability has a low EPSS score of 0.05%, indicating minimal real-world exploitation activity observed so far.

Technical Context

The vulnerability affects Podman, a daemonless container engine for developing and managing OCI containers on Linux systems. The issue stems from improper path validation (CWE-22: Path Traversal) when processing Kubernetes YAML files through the 'kube play' command, which is used to create pods and containers from Kubernetes manifests. When Secret or ConfigMap volumes in the manifest contain symbolic links pointing to host filesystem paths, Podman fails to properly sanitize these paths, allowing the symbolic links to be followed during volume mount operations, ultimately enabling writes outside the intended container boundary.

Affected Products

Podman versions from v4.0.0 through v5.6.0 are affected by this vulnerability, with the issue being fixed in v5.6.1. Multiple Red Hat products incorporating Podman are impacted, as evidenced by numerous Red Hat Security Advisories (RHSA) and Bug Advisories (RHBA) released in January 2025, including updates for Red Hat Enterprise Linux 8, 9, and related container platforms. The extensive list of Red Hat advisories (RHSA-2025:15900 through RHSA-2025:17669) indicates widespread deployment across Red Hat's ecosystem requiring coordinated patching efforts.

Remediation

Upgrade Podman to version 5.6.1 or later to fully address this vulnerability. For Red Hat customers, apply the appropriate security updates referenced in the advisories for your specific product version (see https://access.redhat.com/errata/ for detailed guidance). As a temporary mitigation, restrict access to the 'kube play' command to trusted users only and implement strict validation of Kubernetes manifest files before processing. Consider using admission controllers or policy engines to scan manifests for symbolic links in Secret or ConfigMap volume definitions before allowing their deployment.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +40
POC: 0

Vendor Status

Share

CVE-2025-9566 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy