CVE-2025-9566

Summary

There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.

Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1

Affected Software

VendorProductVersion RangeStatus
4.0.0 < 5.6.1affected
Red HatRed Hat Enterprise Linux 106:5.4.0-13.el10_0 < *unaffected
Red HatRed Hat Enterprise Linux 107:5.6.0-5.el10_1 < *unaffected
Red HatRed Hat Enterprise Linux 107:5.8.0-2.el10 < *unaffected
Red HatRed Hat Enterprise Linux 88100020250911075811.afee755d < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support8060020250919150821.3b538bd8 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Telecommunications Update Service8060020250919150821.3b538bd8 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Update Services for SAP Solutions8060020250919150821.3b538bd8 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Telecommunications Update Service8080020250919060528.0f77c1b7 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Update Services for SAP Solutions8080020250919060528.0f77c1b7 < *unaffected
Red HatRed Hat Enterprise Linux 95:5.4.0-13.el9_6 < *unaffected
Red HatRed Hat Enterprise Linux 96:5.6.0-6.el9_7 < *unaffected
Red HatRed Hat Enterprise Linux 96:5.8.0-1.el9 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Update Services for SAP Solutions2:4.2.0-6.el9_0.5 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Update Services for SAP Solutions2:4.4.1-22.el9_2.4 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Support4:4.9.4-18.el9_4.3 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.120:4.18.0-372.164.1.el8_6 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.120:4.18.0-372.164.1.rt7.325.el8_6 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.123:4.2.0-15.rhaos4.12.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.12412.86.202510291903-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.13413.92.202510150118-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.140:5.14.0-284.138.1.el9_2 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.140:5.14.0-284.138.1.rt14.423.el9_2 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.143:4.4.1-23.rhaos4.14.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.14414.92.202510211419-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.150:5.14.0-284.138.1.el9_2 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.150:5.14.0-284.138.1.rt14.423.el9_2 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.153:4.4.1-35.rhaos4.15.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.164:2.237.0-2.rhaos4.16.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.160:4.16.0-202509111927.p2.gf3d9123.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.164:4.9.4-16.rhaos4.16.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.17417.94.202510112152-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.184:2.237.0-1.rhaos4.18.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.180:1.31.12-3.rhaos4.18.gitdc59c78.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.180:5.14.0-427.87.1.el9_4 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.180:4.18.0-202509090932.p2.ga4cad44.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.180:4.18.0-202509011551.p2.g018e43a.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.185:5.2.2-11.rhaos4.18.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.18418.94.202510230424-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.194:2.237.0-1.rhaos4.19.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.190:1.32.8-3.rhaos4.19.git60d4e21.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.190:4.19.0-202509070341.p2.gb5229e8.assembly.stream.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.195:5.4.0-7.rhaos4.19.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.194.19.9.6.202510140714-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.205:5.4.0-12.rhaos4.20.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.204.20.9.6.202510220229-0 < *unaffected
Red HatRed Hat Hardened Images5.8.2-1.hum1 < *unaffected
Red HatRed Hat OpenShift Dev Spaces (RHOSDS) 3.243.24-1760921292 < *unaffected
Red HatRed Hat OpenShift Dev Spaces (RHOSDS) 3.243.24-1761160160 < *unaffected

Weaknesses

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Workarounds

Red Hat advises to not run the podman kube play command with untrusted Kubernetes YAML file as input, additionally review the Kubernetes YAML file before running it through podman may help to catch maliciously crafted secretes or volumes that may be used to exploit this vulnerability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References