平台
rust
组件
youki
修复版本
0.5.8
0.5.7
CVE-2025-62161 describes a Race Condition vulnerability discovered in youki, a container runtime. This flaw arises from inadequate validation during the bind-mounting of /dev/null, allowing attackers to potentially gain unauthorized access to sensitive data and compromise the system. The vulnerability affects versions of youki prior to 0.5.7 and has been resolved with an updated release.
The core of the vulnerability lies in youki's handling of /dev/null during container setup. The initial validation process failed to adequately verify the source of /dev/null, specifically whether it was genuinely present. Attackers can exploit this by replacing the legitimate /dev/null with a symbolic link pointing to a file they control. This allows them to bind-mount arbitrary files into the container's filesystem, effectively granting them read and write access to those files. The potential impact is significant, ranging from data exfiltration and modification to complete system compromise, depending on the files accessible through the bind mount. The blast radius extends to any processes running within the container that rely on the manipulated filesystem.
CVE-2025-62161 was published on 2025-11-05. The CVSS score of 10 (CRITICAL) indicates a high probability of exploitation. Currently, there are no publicly available Proof-of-Concept (POC) exploits, but the vulnerability's nature and severity suggest it could become a target for active exploitation. The EPSS score is likely to be assessed as high, given the critical CVSS score and the potential for widespread impact across containerized environments. Monitor security advisories and threat intelligence feeds for any indications of active campaigns targeting this vulnerability.
漏洞利用状态
EPSS
0.06% (18% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-62161 is to upgrade to youki version 0.5.7 or later, which includes the necessary validation fixes. If immediate upgrading is not feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective, restricting bind mount operations to trusted sources or implementing stricter filesystem access controls within the container can reduce the attack surface. Regularly monitor container activity for suspicious bind mount operations. After upgrading, confirm the fix by attempting to create a symbolic link to /dev/null and verifying that the bind mount operation fails with an appropriate error message.
Actualice youki a la versión 0.5.7 o superior. Esta versión corrige la vulnerabilidad de escape de contenedor causada por condiciones de carrera en el montaje de /dev/null. La actualización previene la explotación de esta vulnerabilidad.
漏洞分析和关键警报直接发送到您的邮箱。
It's a CRITICAL Race Condition vulnerability in youki, a container runtime, allowing attackers to bind-mount arbitrary files by manipulating /dev/null.
If you are using youki versions prior to 0.5.7, you are potentially affected by this vulnerability. Assess your container environment and upgrade as soon as possible.
Upgrade to youki version 0.5.7 or later to address the insufficient validation of /dev/null.
While no public POCs exist yet, the CRITICAL severity suggests a high likelihood of future exploitation. Monitor for threat intelligence updates.
Refer to the official youki project website and security advisories for detailed information and updates on CVE-2025-62161.
上传你的 Cargo.lock 文件,立即知道是否受影响。