N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62596

GHSA ID

GHSA-vf95-55w6-qmrf

EPSS Score

CWE

CWE-61

Published

11/5/2025

Updated

11/5/2025

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62596

CVE-2025-62596: youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Impact

youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations.

Weak write-target check youki only verifies that the destination lies somewhere under procfs. As a result, a write intended for /proc/self/attr/apparmor/exec can succeed even if the path has been redirected to /proc/sys/kernel/hostname(which is also in procfs).

Path substitution While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target.

This is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems. https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm

Credits

Thanks to Li Fubang (@lifubang from acmcoder.com, CIIC) and Tõnis Tiigi (@tonistiigi from Docker) for both independently discovering runc's original vulnerability, as well as Aleksa Sarai (@cyphar from SUSE) for the original research into this class of security issues and solutions.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62596

CVE-2025-62596:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62596

GHSA ID

GHSA-vf95-55w6-qmrf

EPSS Score

CWE

CWE-61

Published

11/5/2025

Updated

11/5/2025

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
youki	rust	< 0.5.7	0.5.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability in youki is a classic Time-of-check to time-of-use (TOCTOU) race condition, allowing for container escape and denial of service. The core of the issue lies in the use of path-based file system operations on sensitive pseudo-filesystems like /proc. An attacker could manipulate path components (e.g., using symlinks) between the time a path was validated and the time it was used for a write or mount operation. This would redirect the operation to an unintended target within /proc, allowing the attacker to modify system state from within the container.

The provided patch addresses this vulnerability comprehensively by refactoring the code to use file-descriptor-based system calls instead of path-based ones for all security-sensitive operations. This is primarily achieved by integrating the pathrs crate, which provides a safe API for interacting with /proc.

The analysis of the patch identified several key functions that were vulnerable:

apparmor::activate_profile: Wrote to /proc/self/attr/apparmor/exec using a raw path, which was vulnerable to a symlink race.
process::init::process::sysctl: Wrote to /proc/sys files based on user-configurable kernel parameters, making it vulnerable to path traversal and race conditions.
rootfs::mount::Mount::mount_into_container: Performed mounts using paths, which could be hijacked to mount filesystems outside the container's intended root.
process::init::process::masked_path: Used a path-based mount of /dev/null that could be tricked by a malicious symlink.

The function utils::ensure_procfs was identified as the faulty security check that was used by some of these vulnerable functions and was removed as part of the fix. The patch replaces these vulnerable patterns with secure, file-descriptor-based alternatives, effectively mitigating the race condition vulnerabilities.

Vulnerable functions

apparmor::activate_profile

crates/libcontainer/src/apparmor.rs

This function writes to AppArmor's procfs interface. The original implementation used a path-based `fs::write`, which is vulnerable to TOCTOU (Time-of-check to time-of-use) race conditions. An attacker could manipulate the filesystem to replace the target path with a symbolic link after validation, causing a write to an unintended location within `/proc`, leading to container escape or denial of service. The patch mitigates this by using a file-descriptor-based API (`pathrs::procfs::ProcfsHandle`) which is not vulnerable to such path-based races.

process::init::process::sysctl

crates/libcontainer/src/process/init/process.rs

This function writes to sysctl files in `/proc/sys`. The original implementation constructed file paths from kernel parameters and used `fs::write`. This is vulnerable to path traversal attacks (e.g., `../`) or symlink race conditions, allowing a malicious container to write to arbitrary files in `/proc`. The patch uses the `pathrs` library to safely open a handle to the sysctl file, preventing path-based attacks.

process::init::process::masked_path

crates/libcontainer/src/process/init/process.rs

This function is responsible for masking paths inside the container by mounting `/dev/null` over them. The original implementation was vulnerable because it didn't verify that `/dev/null` was the real device file. A malicious container could replace `/dev/null` with a symlink, and this function would then mount a different file, potentially leading to information disclosure or other issues. The patch adds verification of the `/dev/null` device and uses a file-descriptor-based mount to avoid such path-based attacks.

rootfs::mount::Mount::mount_into_container

crates/libcontainer/src/rootfs/mount.rs

This function handles mounting filesystems into the container. The original implementation was vulnerable to symlink race conditions on the mount destination path. An attacker could replace a directory in the destination path with a symlink to a location outside the container's root filesystem between the time the path was checked and the time it was used by the `mount` syscall. This would allow the attacker to mount a filesystem outside the container, leading to a container escape. The patch mitigates this by using file-descriptor-based mount operations, which are not susceptible to path-based race conditions.

utils::ensure_procfs

crates/libcontainer/src/utils.rs

This function was intended to be a security check to ensure that a given path resides on a procfs filesystem before performing a sensitive operation. However, the check was insufficient as it only verified the filesystem type and not the canonical path, making it vulnerable to race conditions and path traversal. Its removal and replacement with safer, file-descriptor-based APIs across the codebase is a direct mitigation of the vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62596: youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Impact

Credits

CVE-2025-62596:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

CVE-2025-62596: youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Impact

Credits

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI