CWE-61
UNIX Symbolic Link (Symlink) Following
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CVE-2025-30485 (GCVE-0-2025-30485)
Vulnerability from cvelistv5 – Published: 2025-04-03 06:18 – Updated: 2025-04-03 13:41
VLAI
Summary
UNIX symbolic link (Symlink) following issue exists in FutureNet NXR series, VXR series and WXR series routers. Attaching to the affected product an external storage containing malicious symbolic link files, a logged-in administrative user may obtain and/or destroy internal files.
Severity
6.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX symbolic link (Symlink) following
Assigner
References
2 references
Impacted products
32 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T13:39:37.971930Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T13:41:26.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FutureNet NXR-1420",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 31.0.1 and earlier"
}
]
},
{
"product": "FutureNet NXR-1300 series",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 7.4.12 and earlier"
}
]
},
{
"product": "FutureNet NXR-650",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.16.5 and earlier"
}
]
},
{
"product": "FutureNet NXR-610X series",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.14.11D and earlier"
}
]
},
{
"product": "FutureNet NXR-530",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.11.15 and earlier"
}
]
},
{
"product": "FutureNet NXR-350/C",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 5.30.9C and earlier"
}
]
},
{
"product": "FutureNet NXR-230/C",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 5.30.13 and earlier"
}
]
},
{
"product": "FutureNet NXR-160/LW",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.8.4 and earlier"
}
]
},
{
"product": "FutureNet NXR-G540 series",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.17.0"
}
]
},
{
"product": "FutureNet NXR-G260 series",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 9.12.17 and earlier"
}
]
},
{
"product": "FutureNet NXR-G240 series",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 9.12.17 and earlier"
}
]
},
{
"product": "FutureNet NXR-G180/L-CA",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.7.33 and earlier"
}
]
},
{
"product": "FutureNet NXR-G120 series",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.15.2C1 and earlier"
}
]
},
{
"product": "FutureNet NXR-G110 series",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.15.10 and earlier"
}
]
},
{
"product": "FutureNet NXR-G100 series",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 6.23.11 and earlier"
}
]
},
{
"product": "FutureNet NXR-G060 series",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.15.6C2 and earlier"
}
]
},
{
"product": "FutureNet NXR-G050 series",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.12.11 and earlier"
}
]
},
{
"product": "FutureNet VXR-x64",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 21.7.33 and earlier"
}
]
},
{
"product": "FutureNet VXR-x86",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "firmware version 10.1.5 and earlier"
}
]
},
{
"product": "FutureNet NXR-1200",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-130/C",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-155/C-L",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-155/C-XW",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-155/C-WM",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-125/CX",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-120/C",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-G100/SLW",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-G100/SL",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-G100/S",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-G100/N",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet NXR-G100/F",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
},
{
"product": "FutureNet WXR-250",
"vendor": "Century Systems Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "UNIX symbolic link (Symlink) following issue exists in FutureNet NXR series, VXR series and WXR series routers. Attaching to the affected product an external storage containing malicious symbolic link files, a logged-in administrative user may obtain and/or destroy internal files."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "UNIX symbolic link (Symlink) following",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T06:18:36.311Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.centurysys.co.jp/backnumber/common/jvnvu92821536.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU92821536/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-30485",
"datePublished": "2025-04-03T06:18:36.311Z",
"dateReserved": "2025-03-24T00:55:23.294Z",
"dateUpdated": "2025-04-03T13:41:26.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31133 (GCVE-0-2025-31133)
Vulnerability from cvelistv5 – Published: 2025-11-06 18:47 – Updated: 2025-11-06 19:22
VLAI
Title
runc container escape via "masked path" abuse due to mount race conditions
Summary
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/opencontainers/runc/security/a… | x_refsource_CONFIRM |
| https://github.com/opencontainers/runc/commit/1a3… | x_refsource_MISC |
| https://github.com/opencontainers/runc/commit/5d7… | x_refsource_MISC |
| https://github.com/opencontainers/runc/commit/847… | x_refsource_MISC |
| https://github.com/opencontainers/runc/commit/db1… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| opencontainers | runc |
Affected:
< 1.2.8
Affected: >= 1.3.0-rc.1, < 1.3.3 Affected: >= 1.4.0-rc.1, <= 1.4.0-rc.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T19:03:45.356326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T19:22:22.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "runc",
"vendor": "opencontainers",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.8"
},
{
"status": "affected",
"version": "\u003e= 1.3.0-rc.1, \u003c 1.3.3"
},
{
"status": "affected",
"version": "\u003e= 1.4.0-rc.1, \u003c= 1.4.0-rc.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-363",
"description": "CWE-363: Race Condition Enabling Link Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T18:47:47.335Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
},
{
"name": "https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522"
},
{
"name": "https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66"
},
{
"name": "https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f"
},
{
"name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
}
],
"source": {
"advisory": "GHSA-9493-h29p-rfm2",
"discovery": "UNKNOWN"
},
"title": "runc container escape via \"masked path\" abuse due to mount race conditions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31133",
"datePublished": "2025-11-06T18:47:47.335Z",
"dateReserved": "2025-03-26T15:04:52.627Z",
"dateUpdated": "2025-11-06T19:22:22.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-33225 (GCVE-0-2025-33225)
Vulnerability from cvelistv5 – Published: 2025-12-16 17:37 – Updated: 2025-12-16 18:04
VLAI
Summary
NVIDIA Resiliency Extension for Linux contains a vulnerability in log aggregation, where an attacker could cause predictable log-file names. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, denial of service, information disclosure, and data tampering.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NVIDIA | Resiliency Extension |
Affected:
Main branch prior to 0.5.0 release
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-33225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T17:50:59.776749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T18:04:44.339Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Resiliency Extension",
"vendor": "NVIDIA",
"versions": [
{
"status": "affected",
"version": "Main branch prior to 0.5.0 release"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": true,
"type": "text/html",
"value": "NVIDIA Resiliency Extension for Linux contains a vulnerability in log aggregation, where an attacker could cause predictable log-file names. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, denial of service, information disclosure, and data tampering."
}
],
"value": "NVIDIA Resiliency Extension for Linux contains a vulnerability in log aggregation, where an attacker could cause predictable log-file names. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, denial of service, information disclosure, and data tampering."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Escalation of privileges, code execution, information disclosure, denial of service, data tampering"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61 UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T17:37:46.433Z",
"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
"shortName": "nvidia"
},
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33225"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2025-33225"
},
{
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5746"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "NVIDIA PSIRT"
}
}
},
"cveMetadata": {
"assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
"assignerShortName": "nvidia",
"cveId": "CVE-2025-33225",
"datePublished": "2025-12-16T17:37:46.433Z",
"dateReserved": "2025-04-15T18:51:06.915Z",
"dateUpdated": "2025-12-16T18:04:44.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36564 (GCVE-0-2025-36564)
Vulnerability from cvelistv5 – Published: 2025-06-03 14:41 – Updated: 2026-02-26 18:27
VLAI
Summary
Dell Encryption Admin Utilities versions prior to 11.10.2 contain an Improper Link Resolution vulnerability. A local malicious user could potentially exploit this vulnerability, leading to privilege escalation.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00032520… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | Encryption Admin Utilities |
Affected:
N/A , < 11.10.2
(semver)
|
Date Public
2025-06-02 17:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-04T03:56:04.343578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:27:38.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Encryption Admin Utilities",
"vendor": "Dell",
"versions": [
{
"lessThan": "11.10.2",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dell Technologies would like to thank FalconCorrup for reporting this issue."
}
],
"datePublic": "2025-06-02T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell Encryption Admin Utilities versions prior to 11.10.2 contain an Improper Link Resolution vulnerability. A local malicious user could potentially exploit this vulnerability, leading to privilege escalation.\u003cbr\u003e"
}
],
"value": "Dell Encryption Admin Utilities versions prior to 11.10.2 contain an Improper Link Resolution vulnerability. A local malicious user could potentially exploit this vulnerability, leading to privilege escalation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:41:03.795Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000325203/dsa-2025-224"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2025-36564",
"datePublished": "2025-06-03T14:41:03.795Z",
"dateReserved": "2025-04-15T21:29:33.583Z",
"dateUpdated": "2026-02-26T18:27:38.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-43853 (GCVE-0-2025-43853)
Vulnerability from cvelistv5 – Published: 2025-05-15 17:13 – Updated: 2025-05-15 18:05
VLAI
Title
iwasm vulnerable to filesystem sandbox escape with symlink when using uvwasi feature
Summary
The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. Anyone running WAMR up to and including version 2.2.0 or WAMR built with libc-uvwasi on Windows is affected by a symlink following vulnerability. On WAMR running in Windows, creating a symlink pointing outside of the preopened directory and subsequently opening it with create flag will create a file on host outside of the sandbox. If the symlink points to an existing host file, it's also possible to open it and read its content. Version 2.3.0 fixes the issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/bytecodealliance/wasm-micro-ru… | x_refsource_CONFIRM |
| https://github.com/bytecodealliance/wasm-micro-ru… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bytecodealliance | wasm-micro-runtime |
Affected:
< 2.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43853",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T18:04:48.732113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T18:05:18.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wasm-micro-runtime",
"vendor": "bytecodealliance",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The WebAssembly Micro Runtime\u0027s (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. Anyone running WAMR up to and including version 2.2.0 or WAMR built with libc-uvwasi on Windows is affected by a symlink following vulnerability. On WAMR running in Windows, creating a symlink pointing outside of the preopened directory and subsequently opening it with create flag will create a file on host outside of the sandbox. If the symlink points to an existing host file, it\u0027s also possible to open it and read its content. Version 2.3.0 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T17:13:11.825Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-8fc8-4g25-c8m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-8fc8-4g25-c8m7"
},
{
"name": "https://github.com/bytecodealliance/wasm-micro-runtime/commit/28702edaf739cdeee54e81efe5868bf00724c33c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bytecodealliance/wasm-micro-runtime/commit/28702edaf739cdeee54e81efe5868bf00724c33c"
}
],
"source": {
"advisory": "GHSA-8fc8-4g25-c8m7",
"discovery": "UNKNOWN"
},
"title": "iwasm vulnerable to filesystem sandbox escape with symlink when using uvwasi feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-43853",
"datePublished": "2025-05-15T17:13:11.825Z",
"dateReserved": "2025-04-17T20:07:08.555Z",
"dateUpdated": "2025-05-15T18:05:18.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-43991 (GCVE-0-2025-43991)
Vulnerability from cvelistv5 – Published: 2025-10-13 14:30 – Updated: 2025-10-14 14:34
VLAI
Summary
SupportAssist for Home PCs versions 4.8.2 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain an UNIX Symbolic Link (Symlink) following vulnerability. A low privileged attacker with local access to the system could potentially exploit this vulnerability to delete arbitrary files only in that affected system.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00037836… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | SupportAssist for Home PCs |
Affected:
N/A , < 4.10.1
(semver)
|
|
| Dell | SupportAssist for Business PCs |
Affected:
N/A , < 4.9.0
(semver)
|
Date Public
2025-10-06 17:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T14:34:16.209824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:34:23.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SupportAssist for Home PCs",
"vendor": "Dell",
"versions": [
{
"lessThan": "4.10.1",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SupportAssist for Business PCs",
"vendor": "Dell",
"versions": [
{
"lessThan": "4.9.0",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dell would like to thank Carson Chan for reporting this issue."
}
],
"datePublic": "2025-10-06T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SupportAssist for Home PCs versions 4.8.2 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain an UNIX Symbolic Link (Symlink) following vulnerability. A low privileged attacker with local access to the system could potentially exploit this vulnerability to delete arbitrary files only in that affected system."
}
],
"value": "SupportAssist for Home PCs versions 4.8.2 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain an UNIX Symbolic Link (Symlink) following vulnerability. A low privileged attacker with local access to the system could potentially exploit this vulnerability to delete arbitrary files only in that affected system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-13T16:18:20.777Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000378367/dsa-2025-362-security-update-for-dell-supportassist-for-home-pcs-and-dell-supportassist-for-business-pcs-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2025-43991",
"datePublished": "2025-10-13T14:30:55.576Z",
"dateReserved": "2025-04-21T05:03:43.634Z",
"dateUpdated": "2025-10-14T14:34:23.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46810 (GCVE-0-2025-46810)
Vulnerability from cvelistv5 – Published: 2025-09-02 11:34 – Updated: 2026-02-26 17:49
VLAI
Summary
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root. This issue affects Tumbleweed: from ? before 2.11.29.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| openSUSE | Tumbleweed |
Affected:
? , < 2.11.29
(semver)
|
Date Public
2025-08-30 03:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T03:55:31.871174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:49:54.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "traefik2",
"product": "Tumbleweed",
"vendor": "openSUSE",
"versions": [
{
"lessThan": "2.11.29",
"status": "affected",
"version": "?",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Johannes Segitz of SUSE"
}
],
"datePublic": "2025-08-30T03:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root.\u0026nbsp;\u003cp\u003eThis issue affects Tumbleweed: from ? before 2.11.29.\u003c/p\u003e"
}
],
"value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root.\u00a0This issue affects Tumbleweed: from ? before 2.11.29."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T11:35:54.497Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1245204"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2025-46810",
"datePublished": "2025-09-02T11:34:32.138Z",
"dateReserved": "2025-04-30T11:28:04.728Z",
"dateUpdated": "2026-02-26T17:49:54.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52565 (GCVE-0-2025-52565)
Vulnerability from cvelistv5 – Published: 2025-11-06 20:02 – Updated: 2025-11-06 21:32
VLAI
Title
container escape due to /dev/console mount and related races
Summary
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/opencontainers/runc/security/a… | x_refsource_CONFIRM |
| https://github.com/opencontainers/runc/commit/01d… | x_refsource_MISC |
| https://github.com/opencontainers/runc/commit/398… | x_refsource_MISC |
| https://github.com/opencontainers/runc/commit/531… | x_refsource_MISC |
| https://github.com/opencontainers/runc/commit/9be… | x_refsource_MISC |
| https://github.com/opencontainers/runc/commit/aee… | x_refsource_MISC |
| https://github.com/opencontainers/runc/commit/db1… | x_refsource_MISC |
| https://github.com/opencontainers/runc/commit/de8… | x_refsource_MISC |
| https://github.com/opencontainers/runc/commit/ff9… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| opencontainers | runc |
Affected:
>= 1.0.0-rc3, < 1.2.8
Affected: >= 1.3.0-rc.1, < 1.3.3 Affected: >= 1.4.0-rc.1, < 1.4.0-rc.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:32:07.457681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:32:19.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "runc",
"vendor": "opencontainers",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0-rc3, \u003c 1.2.8"
},
{
"status": "affected",
"version": "\u003e= 1.3.0-rc.1, \u003c 1.3.3"
},
{
"status": "affected",
"version": "\u003e= 1.4.0-rc.1, \u003c 1.4.0-rc.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-363",
"description": "CWE-363: Race Condition Enabling Link Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:02:58.513Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
},
{
"name": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4"
},
{
"name": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398"
},
{
"name": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e"
},
{
"name": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d"
},
{
"name": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a"
},
{
"name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
},
{
"name": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8"
},
{
"name": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
}
],
"source": {
"advisory": "GHSA-qw9x-cqr3-wc7r",
"discovery": "UNKNOWN"
},
"title": "container escape due to /dev/console mount and related races"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52565",
"datePublished": "2025-11-06T20:02:58.513Z",
"dateReserved": "2025-06-18T03:55:52.036Z",
"dateUpdated": "2025-11-06T21:32:19.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52881 (GCVE-0-2025-52881)
Vulnerability from cvelistv5 – Published: 2025-11-06 20:23 – Updated: 2025-11-06 21:07
VLAI
Title
runc: LSM labels can be bypassed with malicious config using dummy procfs files
Summary
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
20 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| opencontainers | runc |
Affected:
<= 1.2.7, < 1.2.8
Affected: <= 1.3.2, < 1.3.3 Affected: <= 1.4.0-rc.2, < 1.4.0-rc.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:06:59.235416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:07:09.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "runc",
"vendor": "opencontainers",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.2.7, \u003c 1.2.8"
},
{
"status": "affected",
"version": "\u003c= 1.3.2, \u003c 1.3.3"
},
{
"status": "affected",
"version": "\u003c= 1.4.0-rc.2, \u003c 1.4.0-rc.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-363",
"description": "CWE-363: Race Condition Enabling Link Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:23:36.237Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
},
{
"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
},
{
"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
},
{
"name": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
},
{
"name": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51"
},
{
"name": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1"
},
{
"name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
},
{
"name": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165"
},
{
"name": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2"
},
{
"name": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28"
},
{
"name": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db"
},
{
"name": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544"
},
{
"name": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f"
},
{
"name": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6"
},
{
"name": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58"
},
{
"name": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d"
},
{
"name": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557"
},
{
"name": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md"
},
{
"name": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322"
},
{
"name": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3"
}
],
"source": {
"advisory": "GHSA-cgrx-mc8f-2prm",
"discovery": "UNKNOWN"
},
"title": "runc: LSM labels can be bypassed with malicious config using dummy procfs files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52881",
"datePublished": "2025-11-06T20:23:36.237Z",
"dateReserved": "2025-06-20T17:42:25.708Z",
"dateUpdated": "2025-11-06T21:07:09.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53881 (GCVE-0-2025-53881)
Vulnerability from cvelistv5 – Published: 2025-10-02 13:51 – Updated: 2025-10-02 17:38
VLAI
Title
SUSE-specific logrotate configuration allows escalation from mail user/group to root
Summary
A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.This issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| openSUSE | Tumbleweed |
Affected:
? , < 4.98.2-lp156.248.1
(semver)
|
Date Public
2025-09-26 04:35
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T17:15:08.115894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T17:38:57.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "exim",
"product": "Tumbleweed",
"vendor": "openSUSE",
"versions": [
{
"lessThan": "4.98.2-lp156.248.1",
"status": "affected",
"version": "?",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthias Gerstner of SUSE"
}
],
"datePublic": "2025-09-26T04:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.\u003cp\u003eThis issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1.\u003c/p\u003e"
}
],
"value": "A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.This issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:51:56.848Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53881"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SUSE-specific logrotate configuration allows escalation from mail user/group to root",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2025-53881",
"datePublished": "2025-10-02T13:51:56.848Z",
"dateReserved": "2025-07-11T10:53:52.681Z",
"dateUpdated": "2025-10-02T17:38:57.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Description:
- Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.
Mitigation ID: MIT-48.1
Phase: Architecture and Design
Strategy: Separation of Privilege
Description:
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.