CVE-2025-8283
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-28

Last updated on: 2025-11-07

Assigner: Red Hat, Inc.

Description
A vulnerability was found in the netavark package, a network stack for containers used with Podman. Due to dns.podman search domain being removed, netavark may return external servers if a valid A/AAAA record is sent as a response. When creating a container with a given name, this name will be used as the hostname for the container itself, as the podman's search domain is not added anymore the container is using the host's resolv.conf, and the DNS resolver will try to look into the search domains contained on it. If one of the domains contain a name with the same hostname as the running container, the connection will forward to unexpected external servers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-28
Last Modified
2025-11-07
Generated
2026-05-07
AI Q&A
2025-07-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8283
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 8.0
redhat openshift_container_platform 4.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-15 One or more system settings or configuration elements can be externally controlled by a user.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the netavark package used with Podman arises because the dns.podman search domain was removed. As a result, containers use the host's DNS search domains for name resolution. If a container's hostname matches a domain in the host's DNS search domains, DNS queries from the container may be resolved to unexpected external servers instead of the intended internal ones. This can cause containers to inadvertently communicate with external servers. [1]


How can this vulnerability impact me? :

The vulnerability can cause containers to connect to unintended external servers due to DNS resolution confusion. This may lead to data leakage or communication with untrusted external entities, potentially compromising container isolation and security. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves monitoring DNS resolution behavior in containers using netavark with Podman. Specifically, check if containers with hostnames matching external domain names are resolving to unexpected external IP addresses. You can use commands like 'podman inspect <container_id>' to verify container hostnames and 'dig' or 'nslookup' inside the container to observe DNS resolution results. Additionally, network traffic analysis tools such as 'tcpdump' or 'wireshark' can help identify connections to unexpected external servers. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation includes updating netavark to the fixed version containing the upstream commit (commit ID: 03f12695a696c7fe407eefebd7d5ad3cf2e934fe) that restores proper DNS search domain handling. Until the update is applied, avoid naming containers with hostnames that match external domain names to prevent unintended DNS resolution. Monitoring and restricting outbound DNS queries from containers can also reduce risk. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart