CVE-2025-9566

NameCVE-2025-9566
DescriptionThere's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1114526

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpod (PTS)bullseye3.0.1+dfsg1-3+deb11u5vulnerable
bookworm4.3.1+ds1-8+deb12u1vulnerable
podman (PTS)trixie5.4.2+ds1-2vulnerable
forky, sid5.6.2+ds1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpodsource(unstable)(unfixed)
podmansourceexperimental5.6.1+ds1-1
podmansource(unstable)5.6.1+ds1-21114526

Notes

[trixie] - podman <no-dsa> (Minor issue)
[bookworm] - libpod <no-dsa> (Minor issue)
[bullseye] - libpod <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2393152
Fixed by: https://github.com/containers/podman/commit/aaf8b9dc0cfec76444f7eda60660347646b90a13 (v5.6.1)
Search for package or bug name: Reporting problems