CVE-2025-5981: OSV-SCALIBR's Container Image Unpacking Vulnerable to Arbitrary File Write via Path Traversal

June 18, 2025 (updated August 7, 2025)

Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR’s unpack() function for container images. Particularly, when using the CLI flag –remote-image on untrusted container images.

References

github.com/advisories/GHSA-2hcm-q3f4-fjgw
github.com/google/osv-scalibr
github.com/google/osv-scalibr/commit/2444419b1818c2d6917fc3394c947fb3276e9d59
github.com/google/osv-scalibr/releases/tag/v0.1.8
nvd.nist.gov/vuln/detail/CVE-2025-5981
pkg.go.dev/vuln/GO-2025-3767

Code Behaviors & Features

Detect and mitigate CVE-2025-5981 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →