CVE-2025-54867

EPSS 0.03%
Veröffentlicht 14.08.2025 16:15:39
Zuletzt bearbeitet 10.11.2025 17:50:01
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Youki is a container runtime written in Rust. Prior to version 0.5.5, if /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. This issue has been patched in version 0.5.5.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Youki-dev ≫ Youki Version < 0.5.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.056

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7	1	5.9	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-61 UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

https://github.com/youki-dev/youki/commit/0d9b4f2aa5ceaf988f3eb568711d2acf0a4ace37

Patch

https://github.com/youki-dev/youki/releases/tag/v0.5.5

Release Notes

https://github.com/youki-dev/youki/security/advisories/GHSA-j26p-6wx7-f3pw

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-54867

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54867

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54867

EUVD