CVE-2025-57854
Container Privilege Escalation in OpenShift Update Service via /etc/passwd
Publication date: 2026-04-08
Last updated on: 2026-05-04
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | openshift_update_service | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-57854 is a container privilege escalation vulnerability found in certain OpenShift Update Service (OSUS) images. The issue arises because the /etc/passwd file is created with group-writable permissions during the build process. This means that if an attacker can run commands inside the affected container, even as a non-root user, and is part of the root group, they can modify the /etc/passwd file.
By modifying this file, the attacker can add a new user with any user ID they choose, including UID 0, which is the root user. This effectively grants the attacker full root privileges within the container.
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has limited access inside a container to escalate their privileges to full root access within that container. With root privileges, the attacker can perform any action inside the container, potentially compromising the container's security and any applications or data it handles.
Such privilege escalation can lead to unauthorized access, data manipulation, or disruption of services running inside the container.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you should check the permissions of the /etc/passwd file inside the affected containers. Specifically, verify if the /etc/passwd file has group-writable permissions, which is the root cause of the issue.
- Run the command: ls -l /etc/passwd
If the output shows group-writable permissions (e.g., -rw-rw-r--), the container is vulnerable.
Additionally, check if any users inside the container belong to the root group, as this membership allows exploitation of the vulnerability.
- Run the command: groups <username>
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that the /etc/passwd file inside the affected containers is not group-writable.
- Modify the permissions of /etc/passwd to remove group write access by running: chmod 644 /etc/passwd
Also, restrict membership of non-root users in the root group within the container to prevent unauthorized modification of /etc/passwd.
Finally, update or rebuild the affected OpenShift Update Service (OSUS) images with corrected file permissions during build time to prevent recurrence.