CVE-2025-47290: containerd allows host filesystem access on pull
(updated )
A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system.
References
- github.com/advisories/GHSA-cm76-qm8v-3j95
- github.com/containerd/containerd
- github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc
- github.com/containerd/containerd/releases/tag/v2.1.1
- github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95
- nvd.nist.gov/vuln/detail/CVE-2025-47290
Code Behaviors & Features
Detect and mitigate CVE-2025-47290 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →