CVE-2025-59054
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-12

Last updated on: 2025-11-28

Assigner: GitHub, Inc.

Description
dstack is a software development kit (SDK) to simplify the deployment of arbitrary containerized apps into trusted execution environments. In versions of dstack prior to 0.5.4, a malicious host may provide a crafted LUKS2 data volume to a dstack CVM for use as the `/data` mount. The guest will open the volume and write secret data using a volume key known to the attacker, causing disclosure of Wireguard keys and other secret information. The attacker can also pre-load data on the device, which could potentially compromise guest execution. LUKS2 volume metadata is not authenticated and supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume opens (cryptsetup open) without error using any passphrase or token, records all writes in plaintext (or ciphertext with an attacker-known key), and/or contains arbitrary data chosen by the attacker. Version 0.5.4 of dstack contains a patch that addresses LUKS headers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-12
Last Modified
2025-11-28
Generated
2026-06-16
AI Q&A
2025-09-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59054
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cryptsetup cryptsetup <2.8.1
dstack dstack *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects dstack versions prior to 0.5.4, where a malicious host can provide a specially crafted LUKS2 data volume to a dstack CVM as the /data mount. The guest system opens this volume and writes secret data using a volume key known to the attacker, leading to disclosure of sensitive information such as Wireguard keys. Additionally, the attacker can preload data on the device, potentially compromising guest execution. The root cause is that LUKS2 volume metadata is not authenticated and supports null key-encryption algorithms, allowing an attacker to create a volume that opens without error using any passphrase, records all writes in plaintext or ciphertext with an attacker-known key, or contains arbitrary attacker-chosen data. Version 0.5.4 patches this issue by addressing LUKS headers.

Impact Analysis

This vulnerability can lead to disclosure of secret information such as Wireguard keys and other sensitive data from the guest system. It also allows an attacker to preload arbitrary data on the device, which could compromise the execution of the guest environment. This can result in unauthorized access, data leakage, and potential compromise of the containerized applications running within the dstack environment.

Mitigation Strategies

Upgrade dstack to version 0.5.4 or later, which contains a patch that addresses the LUKS headers vulnerability. Avoid using untrusted LUKS2 volumes as the /data mount in dstack CVMs to prevent malicious crafted volumes from causing secret data disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59054. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart