CVE-2025-9566: podman kube play symlink traversal vulnerability

September 4, 2025

The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume already contains a symlink to a host file. This allows a malicious container to write to arbitrary files on the host BUT the attacker only controls the target path not the contents that will be written to the file. The contents are defined in the yaml file by the end user.

References

github.com/advisories/GHSA-wp3j-xq48-xpjw
github.com/containers/podman
github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89
github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw
nvd.nist.gov/vuln/detail/CVE-2025-9566

Code Behaviors & Features

Detect and mitigate CVE-2025-9566 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →