GHSA-phhq-63jg-fp7r: Contrast vulnerability allows arbitrary host data Injection into container VOLUME mount points

July 9, 2025

All of the following need to be true to be affected by this vulnerability:

A bare metal Contrast deployment (AKS is not affected).
An image with at least one VOLUME directive.
No Kubernetes mount at the path of the VOLUME.

If these are all true, the host is able to write arbitrary trees below that mount point.

References

github.com/advisories/GHSA-phhq-63jg-fp7r
github.com/edgelesssys/contrast
github.com/edgelesssys/contrast/commit/635b471ddbb512b6661e6f1d767aab818bd50bda
github.com/edgelesssys/contrast/releases/tag/v1.9.1
github.com/edgelesssys/contrast/security/advisories/GHSA-phhq-63jg-fp7r

Code Behaviors & Features

Detect and mitigate GHSA-phhq-63jg-fp7r with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →