CVE-2025-57853
Container Privilege Escalation via Group-Writable /etc/passwd in Web Terminal
Publication date: 2026-04-08
Last updated on: 2026-05-01
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | web_terminal | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-57853 is a container privilege escalation vulnerability found in certain Web Terminal images on Linux systems.
The root cause is that the /etc/passwd file is created with group-writable permissions during the container build process.
This misconfiguration allows an attacker who can execute commands inside the container, even as a non-root user, and who is a member of the root group, to modify the /etc/passwd file.
By modifying this file, the attacker can add a new user with any user ID, including UID 0, which corresponds to root privileges.
This leads to full root access within the container, effectively escalating privileges from a non-root user to root.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited access inside a container to gain full root privileges within that container.
With root access, the attacker can perform any action inside the container, including modifying system files, installing malicious software, or accessing sensitive data stored within the container.
Such privilege escalation increases the risk of container compromise and can potentially be a stepping stone for further attacks on the host system or other containers if proper isolation is not enforced.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the permissions of the /etc/passwd file inside the affected container images. Specifically, you should verify if the /etc/passwd file has group-writable permissions, which is the root cause of the issue.
- Run the command: ls -l /etc/passwd
- If the output shows group-writable permissions (e.g., -rw-rw-r--), the container is vulnerable.
Additionally, check if any non-root users inside the container are members of the root group, as this membership combined with the writable /etc/passwd file enables exploitation.
- Run the command: groups <username>
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves correcting the permissions of the /etc/passwd file to remove group-writable access and ensuring that non-root users are not members of the root group within the container.
- Change the permissions of /etc/passwd to remove group write: chmod 644 /etc/passwd
- Review and restrict group memberships to prevent non-root users from being in the root group.
Additionally, update or rebuild the affected container images using fixed versions where the /etc/passwd file is created with correct permissions during build time.