CVE-2025-64750
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-02

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description
SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-02
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-12-02
EPSS Evaluated
2026-06-14
NVD
CVE-2025-64750
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
sylabs singularitypro 4.3.5
opencontainers runc *
sylabs singularitypro 4.1.11
sylabs singularityce 4.3.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects SingularityCE and SingularityPRO container platforms before versions 4.3.5 and 4.1.11/4.3.5 respectively. It allows an attacker to bypass Linux Security Module (LSM) restrictions by redirecting the LSM label write operation. The attacker must trick a user into running a malicious container image that remounts /proc to a shared mount point controlled by the attacker, either via another malicious container or by having relevant permissions on the host. This redirection makes the LSM restrictions ineffective.

Impact Analysis

This vulnerability can lead to a partial bypass of security restrictions enforced by LSMs, potentially allowing an attacker to perform malicious operations that should have been blocked. This could result in unauthorized access, data manipulation, or other security breaches within the container environment, impacting the integrity, confidentiality, and availability of the system.

Mitigation Strategies

To mitigate this vulnerability, update SingularityCE to version 4.3.5 or later, and SingularityPRO to versions 4.1.11 or 4.3.5 or later. Avoid running untrusted or malicious container images, especially those that redirect the mount of /proc to shared mounts. Ensure that shared mounts are properly secured and that only trusted users have permissions to control their content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64750. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart