7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-54867

GHSA ID

GHSA-j26p-6wx7-f3pw

EPSS Score

CWE

CWE-61

Published

8/14/2025

Updated

8/14/2025

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54867

CVE-2025-54867: Youki: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.

Summary

If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.

Details

For security reasons, container creation should be prohibited if /proc or /sys in the rootfs is a symbolic link. I verified this behavior with youki. When /proc or /sys is a symbolic link, runc fails to create the container, whereas youki successfully creates it.

This is the fix related to this issue in runc.

https://github.com/opencontainers/runc/pull/3756
https://github.com/opencontainers/runc/pull/3773
https://github.com/opencontainers/runc/blob/main/libcontainer/rootfs_linux.go#L590
https://github.com/opencontainers/runc/blob/main/tests/integration/mask.bats#L60

Impact

The following advisory appears to be related to this vulnerability:

https://github.com/advisories/GHSA-vpvm-3wq2-2wvm
https://github.com/advisories/GHSA-fh74-hm69-rqjw

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-54867

CVE-2025-54867:

7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-54867

GHSA ID

GHSA-j26p-6wx7-f3pw

EPSS Score

CWE

CWE-61

Published

8/14/2025

Updated

8/14/2025

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
youki	rust	< 0.5.5	0.5.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the youki container runtime because it failed to properly validate the container's root filesystem before setting up mounts. Specifically, it did not check if the /proc or /sys paths inside the container's rootfs were symbolic links. An attacker could craft a container image where /proc is a symbolic link to the host's root directory (/). When youki starts the container, it would follow this symlink and mount the container's procfs on the host's root, giving the container access to the host's filesystem.

The patch addresses this by introducing checks in the libcontainer::rootfs::mount::Mount::setup_mount function. Before mounting procfs or sysfs, the code now uses fs::symlink_metadata to check the nature of the destination path. If the path is not a directory (i.e., it's a file or a symbolic link), the container creation process is aborted with an error. A new helper function, libcontainer::rootfs::mount::Mount::check_proc_mount, was also added to provide more granular checks for /proc mounts, ensuring that only legitimate procfs mounts are allowed.

Therefore, the primary vulnerable function is libcontainer::rootfs::mount::Mount::setup_mount as it contained the logic flaw. The function libcontainer::rootfs::mount::Mount::check_proc_mount is a new security control function introduced by the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-54867: Youki: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.

Summary

Details

Impact

CVE-2025-54867:

7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-54867: Youki: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.

Summary

Details

Impact

Basic Information

Basic Information

7

7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI