Miggo Logo
Miggo Vulnerability Database
CVE-2025-6032

CVE-2025-6032:
Podman Improper Certificate Validation; machine missing TLS verification

8.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-6032
GHSA ID
GHSA-65gg-3w2w-hr4h
EPSS Score
0.04407%
CWE
CWE-295
Published
6/25/2025
Updated
6/28/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/containers/podman/v5go< 5.5.25.5.2
github.com/containers/podman/v4go>= 4.8.0, <= 4.9.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper TLS certificate validation when Podman downloads VM images for 'podman machine init'. The root cause was identified in the way the 'types.SystemContext' was being initialized in two key functions: 'Pull' and 'getDestArtifact' within the 'pkg/machine/ocipull' package.

In both functions, a boolean field 'TLSVerify' was used to control TLS verification. The logic DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify) was flawed. In Go, the default value for a boolean is false. Consequently, if the TLSVerify option was not explicitly set to true by the caller, it would default to false, causing !options.TLSVerify to evaluate to true. This resulted in DockerInsecureSkipTLSVerify being set to true, effectively disabling TLS certificate validation during the image download process.

This insecure default behavior exposed users of podman machine init to Man-in-the-Middle (MITM) attacks, where an attacker could intercept the connection to the OCI registry and provide a malicious VM image.

The patch addresses this by replacing the TLSVerify boolean with a types.OptionalBool named SkipTLSVerify. This change makes the intention clearer and shifts the logic to be secure by default. The DockerInsecureSkipTLSVerify field is now set directly from options.SkipTLSVerify, which, if not provided, defaults to false, thus enabling TLS verification. Any engineer with this CVE in their environment should understand that any podman machine init command that pulls a VM image from a remote registry without explicitly enabling TLS verification is vulnerable.

Vulnerable functions

github.com/containers/podman/v5/pkg/machine/ocipull.Pull
pkg/machine/ocipull/pull.go
The 'Pull' function initializes a 'types.SystemContext' to pull an OCI image. The 'DockerInsecureSkipTLSVerify' field was previously set to the inverse of 'options.TLSVerify'. Since the default value for the boolean 'TLSVerify' is false, TLS verification was disabled by default, making the image pull susceptible to a Man-in-the-Middle (MITM) attack. The patch changes the 'TLSVerify' field to 'SkipTLSVerify' (an OptionalBool) and uses its value directly, ensuring that TLS verification is enabled by default.
github.com/containers/podman/v5/pkg/machine/ocipull.(*OCIArtifactDisk).getDestArtifact
pkg/machine/ocipull/ociartifact.go
The 'getDestArtifact' method, used during 'podman machine init', also creates a 'types.SystemContext' for interacting with an OCI registry. Similar to the 'Pull' function, it incorrectly set 'DockerInsecureSkipTLSVerify' based on the default boolean value of 'pullOptions.TLSVerify', thus disabling TLS verification by default. This allowed for a potential MITM attack when downloading the VM image. The patch corrects this by using the new 'SkipTLSVerify' field, making the connection secure by default.

WAF Protection Rules

WAF Rule

### Imp**t T** po*m*n m***in* init *omm*n* **ils to v*ri*y t** TLS **rti*i**t* w**n *ownlo**in* t** VM im***s *rom *n O*I r**istry (w*i** it *o*s *y ****ult sin** *.*.*) *llowin* * possi*l* M*n In T** Mi**l* *tt**k. ### P*t***s *ttps://*it*u*.*om/*o

Reasoning

T** vuln*r**ility st*ms *rom improp*r TLS **rti*i**t* v*li**tion w**n Po*m*n *ownlo**s VM im***s *or 'po*m*n m***in* init'. T** root **us* w*s i**nti*i** in t** w*y t** 'typ*s.Syst*m*ont*xt' w*s **in* initi*liz** in two k*y *un*tions: 'Pull' *n* '**t