CVE-2025-57853
Received Received - Intake
Container Privilege Escalation via Group-Writable /etc/passwd in Web Terminal

Publication date: 2026-04-08

Last updated on: 2026-05-01

Assigner: Red Hat, Inc.

Description
A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57853
EUVD
EUVD-2025-209302
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat web_terminal *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-57853 is a container privilege escalation vulnerability found in certain Web Terminal images on Linux systems.

The root cause is that the /etc/passwd file is created with group-writable permissions during the container build process.

This misconfiguration allows an attacker who can execute commands inside the container, even as a non-root user, and who is a member of the root group, to modify the /etc/passwd file.

By modifying this file, the attacker can add a new user with any user ID, including UID 0, which corresponds to root privileges.

This leads to full root access within the container, effectively escalating privileges from a non-root user to root.

Impact Analysis

This vulnerability can allow an attacker with limited access inside a container to gain full root privileges within that container.

With root access, the attacker can perform any action inside the container, including modifying system files, installing malicious software, or accessing sensitive data stored within the container.

Such privilege escalation increases the risk of container compromise and can potentially be a stepping stone for further attacks on the host system or other containers if proper isolation is not enforced.

Detection Guidance

This vulnerability can be detected by checking the permissions of the /etc/passwd file inside the affected container images. Specifically, you should verify if the /etc/passwd file has group-writable permissions, which is the root cause of the issue.

  • Run the command: ls -l /etc/passwd
  • If the output shows group-writable permissions (e.g., -rw-rw-r--), the container is vulnerable.

Additionally, check if any non-root users inside the container are members of the root group, as this membership combined with the writable /etc/passwd file enables exploitation.

  • Run the command: groups <username>
Mitigation Strategies

Immediate mitigation involves correcting the permissions of the /etc/passwd file to remove group-writable access and ensuring that non-root users are not members of the root group within the container.

  • Change the permissions of /etc/passwd to remove group write: chmod 644 /etc/passwd
  • Review and restrict group memberships to prevent non-root users from being in the root group.

Additionally, update or rebuild the affected container images using fixed versions where the /etc/passwd file is created with correct permissions during build time.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57853. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart