Platform
rust
Component
youki
Fixed in
0.5.8
0.5.7
CVE-2025-62161 describes a Race Condition vulnerability discovered in youki, a container runtime. This flaw arises from inadequate validation during the bind-mounting of /dev/null, allowing attackers to potentially gain unauthorized access to sensitive data and compromise the system. The vulnerability affects versions of youki prior to 0.5.7 and has been resolved with an updated release.
The core of the vulnerability lies in youki's handling of /dev/null during container setup. The initial validation process failed to adequately verify the source of /dev/null, specifically whether it was genuinely present. Attackers can exploit this by replacing the legitimate /dev/null with a symbolic link pointing to a file they control. This allows them to bind-mount arbitrary files into the container's filesystem, effectively granting them read and write access to those files. The potential impact is significant, ranging from data exfiltration and modification to complete system compromise, depending on the files accessible through the bind mount. The blast radius extends to any processes running within the container that rely on the manipulated filesystem.
CVE-2025-62161 was published on 2025-11-05. The CVSS score of 10 (CRITICAL) indicates a high probability of exploitation. Currently, there are no publicly available Proof-of-Concept (POC) exploits, but the vulnerability's nature and severity suggest it could become a target for active exploitation. The EPSS score is likely to be assessed as high, given the critical CVSS score and the potential for widespread impact across containerized environments. Monitor security advisories and threat intelligence feeds for any indications of active campaigns targeting this vulnerability.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62161 is to upgrade to youki version 0.5.7 or later, which includes the necessary validation fixes. If immediate upgrading is not feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective, restricting bind mount operations to trusted sources or implementing stricter filesystem access controls within the container can reduce the attack surface. Regularly monitor container activity for suspicious bind mount operations. After upgrading, confirm the fix by attempting to create a symbolic link to /dev/null and verifying that the bind mount operation fails with an appropriate error message.
Actualice youki a la versión 0.5.7 o superior. Esta versión corrige la vulnerabilidad de escape de contenedor causada por condiciones de carrera en el montaje de /dev/null. La actualización previene la explotación de esta vulnerabilidad.
Vulnerability analysis and critical alerts directly to your inbox.
It's a CRITICAL Race Condition vulnerability in youki, a container runtime, allowing attackers to bind-mount arbitrary files by manipulating /dev/null.
If you are using youki versions prior to 0.5.7, you are potentially affected by this vulnerability. Assess your container environment and upgrade as soon as possible.
Upgrade to youki version 0.5.7 or later to address the insufficient validation of /dev/null.
While no public POCs exist yet, the CRITICAL severity suggests a high likelihood of future exploitation. Monitor for threat intelligence updates.
Refer to the official youki project website and security advisories for detailed information and updates on CVE-2025-62161.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.