CVE-2025-9566: podman kube play symlink traversal vulnerability
(updated )
The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume already contains a symlink to a host file. This allows a malicious container to write to arbitrary files on the host BUT the attacker only controls the target path not the contents that will be written to the file. The contents are defined in the yaml file by the end user.
References
- access.redhat.com/errata/RHSA-2025:15900
- access.redhat.com/errata/RHSA-2025:15901
- access.redhat.com/errata/RHSA-2025:15904
- access.redhat.com/errata/RHSA-2025:16480
- access.redhat.com/errata/RHSA-2025:16481
- access.redhat.com/errata/RHSA-2025:16482
- access.redhat.com/errata/RHSA-2025:16488
- access.redhat.com/errata/RHSA-2025:16515
- access.redhat.com/security/cve/CVE-2025-9566
- bugzilla.redhat.com/show_bug.cgi?id=2393152
- github.com/advisories/GHSA-wp3j-xq48-xpjw
- github.com/containers/podman
- github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89
- github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw
- nvd.nist.gov/vuln/detail/CVE-2025-9566
Code Behaviors & Features
Detect and mitigate CVE-2025-9566 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →