CVE-2025-9566
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.
Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
4.0.0 < 5.6.1 | affected | ||
| Red Hat | Red Hat Enterprise Linux 10 | 6:5.4.0-13.el10_0 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 10 | 7:5.6.0-5.el10_1 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 10 | 7:5.8.0-2.el10 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8 | 8100020250911075811.afee755d < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | 8060020250919150821.3b538bd8 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8.6 Telecommunications Update Service | 8060020250919150821.3b538bd8 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | 8060020250919150821.3b538bd8 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8.8 Telecommunications Update Service | 8080020250919060528.0f77c1b7 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | 8080020250919060528.0f77c1b7 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9 | 5:5.4.0-13.el9_6 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9 | 6:5.6.0-6.el9_7 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9 | 6:5.8.0-1.el9 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | 2:4.2.0-6.el9_0.5 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | 2:4.4.1-22.el9_2.4 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9.4 Extended Update Support | 4:4.9.4-18.el9_4.3 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.12 | 0:4.18.0-372.164.1.el8_6 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.12 | 0:4.18.0-372.164.1.rt7.325.el8_6 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.12 | 3:4.2.0-15.rhaos4.12.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.12 | 412.86.202510291903-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.13 | 413.92.202510150118-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.14 | 0:5.14.0-284.138.1.el9_2 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.14 | 0:5.14.0-284.138.1.rt14.423.el9_2 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.14 | 3:4.4.1-23.rhaos4.14.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.14 | 414.92.202510211419-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.15 | 0:5.14.0-284.138.1.el9_2 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.15 | 0:5.14.0-284.138.1.rt14.423.el9_2 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.15 | 3:4.4.1-35.rhaos4.15.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | 4:2.237.0-2.rhaos4.16.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | 0:4.16.0-202509111927.p2.gf3d9123.assembly.stream.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | 4:4.9.4-16.rhaos4.16.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.17 | 417.94.202510112152-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 4:2.237.0-1.rhaos4.18.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 0:1.31.12-3.rhaos4.18.gitdc59c78.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 0:5.14.0-427.87.1.el9_4 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 0:4.18.0-202509090932.p2.ga4cad44.assembly.stream.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 0:4.18.0-202509011551.p2.g018e43a.assembly.stream.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 5:5.2.2-11.rhaos4.18.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 418.94.202510230424-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.19 | 4:2.237.0-1.rhaos4.19.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.19 | 0:1.32.8-3.rhaos4.19.git60d4e21.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.19 | 0:4.19.0-202509070341.p2.gb5229e8.assembly.stream.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.19 | 5:5.4.0-7.rhaos4.19.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.19 | 4.19.9.6.202510140714-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.20 | 5:5.4.0-12.rhaos4.20.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.20 | 4.20.9.6.202510220229-0 < * | unaffected |
| Red Hat | Red Hat Hardened Images | 5.8.2-1.hum1 < * | unaffected |
| Red Hat | Red Hat OpenShift Dev Spaces (RHOSDS) 3.24 | 3.24-1760921292 < * | unaffected |
| Red Hat | Red Hat OpenShift Dev Spaces (RHOSDS) 3.24 | 3.24-1761160160 < * | unaffected |
Weaknesses
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Workarounds
Red Hat advises to not run the podman kube play command with untrusted Kubernetes YAML file as input, additionally review the Kubernetes YAML file before running it through podman may help to catch maliciously crafted secretes or volumes that may be used to exploit this vulnerability.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/errata/RHBA-2025:15692
- https://access.redhat.com/errata/RHBA-2025:15712
- https://access.redhat.com/errata/RHBA-2025:16158
- https://access.redhat.com/errata/RHBA-2025:16163
- https://access.redhat.com/errata/RHEA-2025:4782
- https://access.redhat.com/errata/RHSA-2025:15900
- https://access.redhat.com/errata/RHSA-2025:15901
- https://access.redhat.com/errata/RHSA-2025:15904
- https://access.redhat.com/errata/RHSA-2025:16480
- https://access.redhat.com/errata/RHSA-2025:16481
- https://access.redhat.com/errata/RHSA-2025:16482
- https://access.redhat.com/errata/RHSA-2025:16488
- https://access.redhat.com/errata/RHSA-2025:16515
- https://access.redhat.com/errata/RHSA-2025:16724
- https://access.redhat.com/errata/RHSA-2025:17669
- https://access.redhat.com/errata/RHSA-2025:18217
- https://access.redhat.com/errata/RHSA-2025:18218
- https://access.redhat.com/errata/RHSA-2025:18240
- https://access.redhat.com/errata/RHSA-2025:19002
- https://access.redhat.com/errata/RHSA-2025:19041
- https://access.redhat.com/errata/RHSA-2025:19046
- https://access.redhat.com/errata/RHSA-2025:19094
- https://access.redhat.com/errata/RHSA-2025:19894
- https://access.redhat.com/errata/RHSA-2025:20909
- https://access.redhat.com/errata/RHSA-2025:20983
- https://access.redhat.com/errata/RHSA-2026:18289
- https://access.redhat.com/errata/RHSA-2026:18722
- https://access.redhat.com/errata/RHSA-2026:8211
- https://access.redhat.com/security/cve/CVE-2025-9566
- https://bugzilla.redhat.com/show_bug.cgi?id=2393152
- https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89
- https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.