CVE-2025-64433: KubeVirt Arbitrary Container File Read
(updated )
_Short summary of the problem. Make the impact and severity as clear as possible.
Mounting a user-controlled PVC disk within a VM allows an attacker to read any file present in the virt-launcher pod. This is due to erroneous handling of symlinks defined within a PVC.
References
- github.com/advisories/GHSA-qw6q-3pgr-5cwq
- github.com/kubevirt/kubevirt
- github.com/kubevirt/kubevirt/commit/09eafa068ec01eca0e96ebafeeb9522a878dbf64
- github.com/kubevirt/kubevirt/commit/9dc798cb1efe924a9a2b97b6e016452dec5e3849
- github.com/kubevirt/kubevirt/commit/a81b27d4600cf654274dd197119658382affdb08
- github.com/kubevirt/kubevirt/security/advisories/GHSA-qw6q-3pgr-5cwq
- nvd.nist.gov/vuln/detail/CVE-2025-64433
Code Behaviors & Features
Detect and mitigate CVE-2025-64433 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →