Miggo Logo
Miggo Vulnerability Database
CVE-2025-4953

CVE-2025-4953: Podman Creates Temporary File with Insecure Permissions

7.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-4953
GHSA ID
GHSA-m68q-4hqr-mc6f
EPSS Score
-
CWE
CWE-378
Published
9/16/2025
Updated
9/16/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/containers/podman/v5go<= 5.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability, CVE-2025-4953, arises from Podman's handling of bind mounts during the build process, which can lead to files being created on the host with insecure permissions. The root cause lies within the Buildah library, a dependency of Podman responsible for building container images.

My analysis began by identifying the patched version of Podman, v5.5.1, and comparing it to the last known vulnerable version, v5.5.0. This comparison revealed that the primary change was a version bump of the Buildah dependency from v1.40.0 to v1.40.1.

By examining the changes within the Buildah library between these two versions, I pinpointed the exact code modifications that address the vulnerability. The changes are concentrated in run_linux.go and are related to the handling of SELinux relabeling options (z and Z) for bind mounts.

The vulnerable functions, Builder.Run and its helper Builder.runSetupVolumeMounts, were modified to explicitly handle these SELinux options within Buildah itself, rather than passing them down to the OCI runtime. The patch adds logic to perform the relabeling and then strips the options from the mount configuration. This prevents the OCI runtime from misinterpreting the options and creating files with incorrect, insecure permissions in the host's temporary build directory.

Therefore, any runtime profile of a vulnerable Podman version executing a build with a RUN --mount=type=bind instruction would show these functions in the call stack. The presence of these functions, combined with the specific build operation, is a strong indicator of exploitation of this vulnerability.

Vulnerable functions

Builder.Run
vendor/github.com/containers/buildah/run_linux.go
This is the main function in Buildah for running a command inside a build container. The vulnerability is triggered within this function because it failed to correctly handle SELinux relabeling for bind mounts. An attacker can exploit this by crafting a build that uses a bind mount, causing files to be created on the host with insecure permissions.
Builder.runSetupVolumeMounts
vendor/github.com/containers/buildah/run_linux.go
This function is responsible for setting up volume mounts. The patch shows that it was not correctly handling the removal of SELinux relabeling options, contributing to the vulnerability. The incorrect handling in this function would cause the mount options to be passed down to the runtime, leading to the insecure file creation.

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in Po*m*n. In * *ont*in*r*il* or Po*m*n, **t* writt*n to RUN --mount=typ*=*in* mounts *urin* t** po*m*n *uil* is not *is**r***. T*is issu* **n l*** to *il*s *r**t** wit*in t** *ont*in*r *pp**rin* in t** t*mpor*ry *uil* *ont*xt *ir**t

Reasoning

T** vuln*r**ility, *V*-****-****, *ris*s *rom Po*m*n's **n*lin* o* *in* mounts *urin* t** *uil* pro**ss, w*i** **n l*** to *il*s **in* *r**t** on t** *ost wit* ins**ur* p*rmissions. T** root **us* li*s wit*in t** *uil*** li*r*ry, * **p*n**n*y o* Po*m