CVE-2025-65105
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-02

Last updated on: 2025-12-05

Assigner: GitHub, Inc.

Description
Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-02
Last Modified
2025-12-05
Generated
2026-06-16
AI Q&A
2025-12-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65105
EUVD
EUVD-2025-200292
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lfprojects apptainer to 1.4.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apptainer versions less than 1.4.5 allows a container to disable two specific forms of the --security option (--security=apparmor:<profile> and --security=selinux:<label>). These options normally impose restrictions on container operations to enhance security. Because of this flaw, containers can bypass these security restrictions, potentially allowing more actions than intended. The --security option is primarily intended for root users but also works for unprivileged users if the corresponding security feature is enabled on the system.

Impact Analysis

This vulnerability can impact you by allowing containers to disable important security restrictions that limit what operations they can perform. This could lead to containers performing unauthorized actions, potentially compromising the host system's security. Since Apparmor and SElinux are security modules that enforce mandatory access controls, bypassing them increases the risk of container breakout or unauthorized access to system resources.

Mitigation Strategies

Upgrade Apptainer to version 1.4.5 or later, as this version contains the fix for the vulnerability that allows containers to disable certain --security options. Additionally, ensure that Apparmor or SElinux is properly enabled and configured on your system according to your distribution defaults to maintain container security restrictions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65105. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart