CVE-2025-4953

Summary

A flaw was found in Podman. In a Containerfile or Podman, data written to RUN –mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.

Affected Software

VendorProductVersion RangeStatus
0 < *affected
Red HatRed Hat Enterprise Linux 88100020250911075811.afee755d < *unaffected
Red HatRed Hat OpenShift Container Platform 4.123:4.2.0-15.rhaos4.12.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.12412.86.202601061735-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.131:1.29.1-5.rhaos4.13.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.133:2.1.7-5.rhaos4.13.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.131:1.4.0-5.rhaos4.13.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:1.26.5-26.rhaos4.13.giteb3d487.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:1.26.0-7.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:2.2.24-5.rhaos4.13.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:2.15.0-10.rhaos4.13.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:4.13.0-202410181847.p0.g53fd427.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:4.13.0-202410181847.p0.gd2acdd5.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:4.13.0-202410181847.p0.g1397e80.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:4.13.0-202410181847.p0.gd192e90.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:4.13.0-202410181847.p0.g36754b7.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.133:4.4.1-15.rhaos4.13.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.134:1.1.14-2.rhaos4.13.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.132:1.11.3-4.rhaos4.13.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.131:1.29.5-1.rhaos4.13.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:5.14.0-284.109.1.el9_2 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:5.14.0-284.109.1.rt14.394.el9_2 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.133:4.4.1-16.rhaos4.13.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.13413.92.202511261311-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.14414.92.202512031525-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.15415.92.202512100122-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.164:4.9.4-16.rhaos4.16.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.16416.94.202512030118-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.17417.94.202511260612-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.185:5.2.2-2.rhaos4.18.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.18418.94.202512022246-0 < *unaffected

Weaknesses

  • CWE-378: Creation of Temporary File With Insecure Permissions

Workarounds

Avoid long-running build steps and overly permissive file permissions. Use RUN –mount=type=secret for sensitive data instead of bind mounts.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References