CVE-2025-9566
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2025-09-05

Last updated on: 2026-05-19

Assigner: Red Hat, Inc.

Description
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-05
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2025-09-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9566
Affected Vendors & Products
Showing 21 associated CPEs
Vendor Product Version / Range
redhat openshift_container_platform 4.4
redhat openshift_container_platform 4.5
redhat openshift_container_platform 4.14
redhat openshift_container_platform 4.8
redhat openshift_container_platform 4.16
redhat openshift_container_platform 4.3
redhat openshift_container_platform 4.19.17
redhat openshift_container_platform 4.10
redhat openshift_container_platform 4.2
redhat openshift_container_platform 4.1
redhat openshift_container_platform 4.13.61
redhat openshift_container_platform 4.9
redhat podman *
redhat openshift_container_platform 4.18.27
redhat openshift_container_platform 4.17.42
redhat openshift_container_platform 4.7
redhat openshift_container_platform 4.15
redhat openshift_container_platform 4.11
redhat openshift_container_platform 4.12
redhat openshift_container_platform 4.6
redhat openshift_container_platform 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9566 is a vulnerability in Podman where an attacker can exploit the 'podman kube play' command to overwrite files on the host system. This happens when the Kubernetes YAML file used contains a ConfigMap or Secret volume mount that includes a symbolic link pointing to a host file. The attacker can control which host file is overwritten via the symlink, but cannot control the content written to that file, as the content is defined by the YAML configuration. [1]

Impact Analysis

This vulnerability can allow an attacker with some level of access to Podman to overwrite arbitrary files on the host system, potentially leading to system instability, denial of service, or other impacts depending on which files are overwritten. Although the attacker cannot control the content written, controlling the target file path can still be leveraged to disrupt system operations or security. [1]

Detection Guidance

Detection involves checking if your system is running a vulnerable version of Podman (versions from 4.0.0 up to but not including 5.6.1) and inspecting Kubernetes YAML files used with `podman kube play` for ConfigMap or Secret volume mounts that include symbolic links pointing to host file paths. You can check the Podman version with the command `podman --version`. To find potentially risky YAML files, you can search for volume mounts with symlinks by examining the YAML files manually or using commands like `grep -r 'volumeMounts' /path/to/kube/yaml/files` and then verifying if any volumes contain symlinks to host files using `find /path/to/volumes -type l -ls`. There is no direct network detection method described. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Podman to version 5.6.1 or later, where the vulnerability is fixed. Additionally, review and avoid using Kubernetes YAML files with ConfigMap or Secret volume mounts that contain symbolic links to host file paths when using `podman kube play`. Restricting user privileges to limit the ability to run `podman kube play` commands or to create such YAML configurations can also reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9566. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart