Miggo Logo
Miggo Vulnerability Database
CVE-2025-9566

CVE-2025-9566: podman kube play symlink traversal vulnerability

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-9566
GHSA ID
GHSA-wp3j-xq48-xpjw
EPSS Score
-
CWE
CWE-61
Published
9/4/2025
Updated
9/4/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/containers/podman/v5go<= 5.6.05.6.1
github.com/containers/podman/v4go<= 4.9.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the podman kube play command, specifically within the playKubePod function, which handles the creation of files from Kubernetes ConfigMaps and Secrets into volumes. The root cause is the use of os.Create to write files to the volume. This function follows symbolic links, which creates a time-of-check-to-time-of-use (TOCTOU) vulnerability. An attacker could exploit this by running a pod that creates a symbolic link inside the volume, pointing to a sensitive file on the host system. When podman kube play is executed again with the same volume, the playKubePod function follows the symlink and overwrites the targeted host file with the contents specified in the ConfigMap or Secret. The provided patch rectifies this by replacing the vulnerable os.Create call with a new, safer function called openPathSafely. This new function uses unix.Openat with the O_NOFOLLOW flag to explicitly prevent following symbolic links, and further contains file operations within the intended directory using securejoin, thus closing the symlink traversal vulnerability.

Vulnerable functions

github.com/containers/podman/v5/pkg/domain/infra/abi.ContainerEngine.playKubePod
pkg/domain/infra/abi/play.go
The `playKubePod` function was vulnerable to a symlink traversal attack. When creating files for ConfigMap or Secret volumes, it used `os.Create`, which follows symbolic links by default. If a malicious actor could place a symbolic link within the volume pointing to a file on the host, a subsequent run of `podman kube play` would cause `os.Create` to follow that link and overwrite the host file. The patch mitigates this by replacing `os.Create` with a new function, `openPathSafely`, which is designed to prevent this type of attack.

WAF Protection Rules

WAF Rule

### Imp**t T** po*m*n ku** pl*y *omm*n* **n ov*rwrit* *ost *il*s w**n t** ku** *il* *ont*ins * *on*i*M*p or S**r*t volum* mount *n* t** volum* *lr***y *ont*ins * symlink to * *ost *il*. T*is *llows * m*li*ious *ont*in*r to writ* to *r*itr*ry *il*s o

Reasoning

T** vuln*r**ility *xists in t** `po*m*n ku** pl*y` *omm*n*, sp**i*i**lly wit*in t** `pl*yKu**Po*` *un*tion, w*i** **n*l*s t** *r**tion o* *il*s *rom Ku**rn*t*s *on*i*M*ps *n* S**r*ts into volum*s. T** root **us* is t** us* o* `os.*r**t*` to writ* *il