CVE-2025-62161
BaseFortify
Publication date: 2025-11-06
Last updated on: 2025-11-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| youki-dev | youki | to 0.5.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-363 | The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file. |
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Youki container runtime versions 0.5.6 and below. It involves insufficient initial validation of the source /dev/null when Youki uses bind mounting the container's /dev/null as a file mask. This flaw allows an attacker to escape the container, potentially breaking out of the container's isolation.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to escape from a container, which compromises the container's isolation. This can lead to unauthorized access to the host system or other containers, potentially resulting in data breaches, privilege escalation, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Youki to version 0.5.7 or later, as this version contains the fix for the container escape vulnerability related to bind mounting /dev/null.