CVE-2025-54867
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-11-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| youki-dev | youki | to 0.5.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Youki, a container runtime written in Rust, occurs when the /proc and /sys directories in the root filesystem are symbolic links. Prior to version 0.5.5, this condition could be exploited to gain access to the host's root filesystem, potentially allowing unauthorized access to sensitive system files. The issue was fixed in version 0.5.5.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to access the host root filesystem from within a container, potentially leading to unauthorized access, modification, or destruction of critical system files and data. This could compromise the security and integrity of the host system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Youki to version 0.5.5 or later, as this version contains the patch that fixes the vulnerability related to symbolic links for /proc and /sys in the root filesystem.