8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-9566

CVE-2025-9566: podman kube play symlink traversal vulnerability

Impact

The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume already contains a symlink to a host file. This allows a malicious container to write to arbitrary files on the host BUT the attacker only controls the target path not the contents that will be written to the file. The contents are defined in the yaml file by the end user.

Requirements to exploit:

podman kube play must be used with a ConfigMap or Secret volume mount AND must be run more than once on the same volume. All the attacker has to do is create the malicious symlink on the volume the first time it is started. After that all following starts would follow the symlink and write to the host location.

Patches

Fixed in podman v5.6.1 https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89

Workarounds

Don't use podman kube play with ConfigMap or Secret volume mounts.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-9566

CVE-2025-9566:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/containers/podman/v5	go	<= 5.6.0	5.6.1
github.com/containers/podman/v4	go	<= 4.9.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the podman kube play command, specifically within the playKubePod function, which handles the creation of files from Kubernetes ConfigMaps and Secrets into volumes. The root cause is the use of os.Create to write files to the volume. This function follows symbolic links, which creates a time-of-check-to-time-of-use (TOCTOU) vulnerability. An attacker could exploit this by running a pod that creates a symbolic link inside the volume, pointing to a sensitive file on the host system. When podman kube play is executed again with the same volume, the playKubePod function follows the symlink and overwrites the targeted host file with the contents specified in the ConfigMap or Secret. The provided patch rectifies this by replacing the vulnerable os.Create call with a new, safer function called openPathSafely. This new function uses unix.Openat with the O_NOFOLLOW flag to explicitly prevent following symbolic links, and further contains file operations within the intended directory using securejoin, thus closing the symlink traversal vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-9566: podman kube play symlink traversal vulnerability

Impact

Requirements to exploit:

Patches

Workarounds

CVE-2025-9566:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-9566: podman kube play symlink traversal vulnerability

Impact

Requirements to exploit:

Patches

Workarounds

Technical Details

8.1

8.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI