3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-8283

GHSA ID

GHSA-rpcf-rmh6-42xr

EPSS Score

0.05933%

CWE

CWE-15

Published

7/28/2025

Updated

7/29/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-8283

CVE-2025-8283: Netavark Has Possible DNS Resolve Confusion

A vulnerability was found in the netavark package, a network stack for containers used with Podman. Due to dns.podman search domain being removed, netavark may return external servers if a valid A/AAAA record is sent as a response. When creating a container with a given name, this name will be used as the hostname for the container itself, as the podman's search domain is not added anymore the container is using the host's resolv.conf, and the DNS resolver will try to look into the search domains contained on it. If one of the domains contain a name with the same hostname as the running container, the connection will forward to unexpected external servers.

(GitHub Advisory)

3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-8283

GHSA ID

GHSA-rpcf-rmh6-42xr

EPSS Score

0.05933%

CWE

CWE-15

Published

7/28/2025

Updated

7/29/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
netavark	rust	< 1.15.1	1.15.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the netavark package, where the dns.podman search domain was not being added to the container's DNS configuration. This could lead to DNS resolve confusion, where a container's hostname could be resolved to an external IP address. The provided patch in commit 068abc869b736a03a947b5419c102da73830e882 clearly shows the fix being applied in the Bridge::setup function within src/network/bridge.rs. The change involves adding the PODMAN_DEFAULT_SEARCH_DOMAIN to the dns_search_domains in the network setup response. This directly addresses the vulnerability described. The test files were also updated to reflect this change, removing assertions that previously checked for an empty search domain. Therefore, the Bridge::setup function is the vulnerable function as it was responsible for the incorrect DNS configuration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in t** n*t*v*rk p**k***, * n*twork st**k *or *ont*in*rs us** wit* Po*m*n. *u* to *ns.po*m*n s**r** *om*in **in* r*mov**, n*t*v*rk m*y r*turn *xt*rn*l s*rv*rs i* * v*li* */**** r**or* is s*nt *s * r*spons*. W**n *r**tin* * *o

Reasoning

T** vuln*r**ility li*s in t** `n*t*v*rk` p**k***, w**r* t** `*ns.po*m*n` s**r** *om*in w*s not **in* ***** to t** *ont*in*r's *NS *on*i*ur*tion. T*is *oul* l*** to *NS r*solv* *on*usion, w**r* * *ont*in*r's *ostn*m* *oul* ** r*solv** to *n *xt*rn*l I

3.7

Basic Information

Concerned about an active attack path?

CVE-2025-8283: Netavark Has Possible DNS Resolve Confusion

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI