CVE-2025-4437: CRI-O has Potential High Memory Consumption from File Read

August 20, 2025 (updated August 29, 2025)

There’s a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container’s entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host.

References

access.redhat.com/security/cve/CVE-2025-4437
bugzilla.redhat.com/show_bug.cgi?id=2375084
github.com/advisories/GHSA-8f93-j3fx-72f3
github.com/cri-o/cri-o
nvd.nist.gov/vuln/detail/CVE-2025-4437
pkg.go.dev/vuln/GO-2025-3897

Code Behaviors & Features

Detect and mitigate CVE-2025-4437 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →