ghsa-pwhc-rpq9-4c8w
Vulnerability from github
Published
2025-11-06 15:12
Modified
2025-11-06 23:12
Severity ?
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
containerd affected by a local privilege escalation via wide permissions on CRI directory
Details

Impact

An overly broad default permission vulnerability was found in containerd.

  • /var/lib/containerd was created with the permission bits 0o711, while it should be created with 0o700
  • Allowed local users on the host to potentially access the metadata store and the content store
  • /run/containerd/io.containerd.grpc.v1.cri was created with 0o755, while it should be created with 0o700
  • Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
  • /run/containerd/io.containerd.sandbox.controller.v1.shim was created with 0o711, while it should be created with 0o700

The directory paths may differ depending on the daemon configuration. When the temp directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.

Patches

This bug has been fixed in the following containerd versions:

  • 2.2.0
  • 2.1.5
  • 2.0.7
  • 1.7.29

Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories.

[!NOTE]

/run/containerd and /run/containerd/io.containerd.runtime.v2.task are still created with 0o711. This is an expected behavior for supporting userns-remapped containers.

Workarounds

The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons:

chmod 700 /var/lib/containerd chmod 700 /run/containerd/io.containerd.grpc.v1.cri chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim

An alternative mitigation would be to run containerd in rootless mode.

Credits

The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the containerd security policy.

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containerd/containerd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containerd/containerd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containerd/containerd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0-beta.0"
            },
            {
              "fixed": "2.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containerd/containerd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0-beta.0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-25621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-279"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-06T15:12:08Z",
    "nvd_published_at": "2025-11-06T19:15:40Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAn overly broad default permission vulnerability was found in containerd.\n\n- `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700\n  - Allowed local users on the host to potentially access the metadata store and the content store\n- `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700\n  - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.\n- `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700\n\nThe directory paths may differ depending on the daemon configuration.\nWhen the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.\n\n### Patches\n\nThis bug has been fixed in the following containerd versions:\n\n* 2.2.0\n* 2.1.5\n* 2.0.7\n* 1.7.29\n\nUsers should update to these versions to resolve the issue.\nThese updates automatically change the permissions of the existing directories.\n\n\u003e [!NOTE]\n\u003e\n\u003e `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task` are still created with 0o711.\n\u003e This is an expected behavior for supporting userns-remapped containers.\n\n### Workarounds\n\nThe system administrator on the host can manually chmod the directories to not \nhave group or world accessible permisisons:\n\n```\nchmod 700 /var/lib/containerd\nchmod 700 /run/containerd/io.containerd.grpc.v1.cri\nchmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim\n```\n\nAn alternative mitigation would be to run containerd in [rootless mode](https://github.com/containerd/containerd/blob/main/docs/rootless.md).\n\n### Credits\n\nThe containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose)\n* Email us at [security@containerd.io](mailto:security@containerd.io)\n\nTo report a security issue in containerd:\n\n* [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new)",
  "id": "GHSA-pwhc-rpq9-4c8w",
  "modified": "2025-11-06T23:12:26Z",
  "published": "2025-11-06T15:12:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25621"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containerd/containerd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containerd/containerd/blob/main/docs/rootless.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "containerd affected by a local privilege escalation via wide permissions on CRI directory"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.