CVE-2025-62161
CRITICAL10.0EPSS 0.05%youki container escape via "masked path" abuse due to mount race conditions
Description
### Impact ### youki utilizes bind mounting the container's `/dev/null` as a file mask. When performing this operation, the initial validation of the source `/dev/null` was insufficient. Specifically, we initially failed to verify whether `/dev/null` was genuinely present. However, we did perform validation to ensure that the `/dev/null` path existed within the container, including checking for symbolic links. Additionally, there was a vulnerability in the timing between validation and the actual mount operation. As a result, by replacing `/dev/null` with a symbolic link, we can bind-mount arbitrary files from the host system. This is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems. https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2 ### Credits Thanks to Lei Wang (@ssst0n3 from Huawei) for finding and reporting the original runc's vulnerability (Attack 1), and Li Fubang (@lifubang from acmcoder.com, CIIC) for discovering another attack vector in runc (Attack 2) based on @ssst0n3's initial findings. Also, @cyphar helped youki in finding the problem.
Affected packages (1)
- crates.io/youkifrom 0, < 0.5.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-62161
- PATCHhttps://github.com/youki-dev/youki
- WEBhttps://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
- WEBhttps://github.com/youki-dev/youki/commit/5886c91073b9be748bd8d5aed49c4a820548030a
- WEBhttps://github.com/youki-dev/youki/security/advisories/GHSA-4g74-7cff-xcv8