CVE-2025-24965

Summary

crun is an open source OCI Container Runtime fully written in C. In affected versions A malicious container image could trick the krun handler into escaping the root filesystem, allowing file creation or modification on the host. No special permissions are needed, only the ability for the current user to write to the target file. The problem is fixed in crun 1.20 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity

  • Base Score: 8.5
  • Exploitability Score: 0.0
  • Impact Score: 0.0
  • Exploitable: 0

Details

CVE-2025-24965 is a critical vulnerability affecting versions prior to 1.20 of crun, an OCI (Open Container Initiative) compliant runtime. This vulnerability allows a malicious container image to bypass the container’s intended isolation and gain write access to the host filesystem. Specifically, a specially crafted container image can manipulate the krun handler, causing it to escape the container’s root filesystem. The vulnerability arises from insufficient validation or sanitization within the krun handler when processing container image configurations. This lack of proper validation enables the container to specify paths that lead outside of the intended container root, effectively granting write privileges to the host system. The attack does not require elevated privileges within the container, as the ability for the current user to write to the targeted file is sufficient to exploit the vulnerability. This issue poses a significant security risk because it allows a compromised or malicious container to directly tamper with the host operating system, potentially leading to data corruption, system compromise, or privilege escalation.

Remediation

The primary and recommended remediation for CVE-2025-24965 is to upgrade crun to version 1.20 or later. This version contains the necessary security fixes to address the vulnerability in the krun handler.

Steps to Remediate:

  1. Identify Affected Systems: Determine all systems running crun versions prior to 1.20.
  2. Upgrade crun: Upgrade crun to version 1.20 or a later patched version. The upgrade process will vary depending on your operating system and package manager. Consult the crun documentation or your operating system’s documentation for specific instructions. Example: yum update crun or apt-get update && apt-get install --only-upgrade crun
  3. Verify the Upgrade: After upgrading, verify that crun is running the corrected version using the crun --version command. Confirm that the output displays version 1.20 or later.
  4. Rebuild and Redeploy Containers: Rebuild and redeploy all container images that were potentially built with vulnerable base images or configurations. This ensures that the updated crun runtime is used with all containers.
  5. Monitor Systems: Monitor the affected systems for any suspicious activity that might indicate a successful exploit attempt before the upgrade.

Assigner

Date

  • Published Date: 2025-02-19 16:46:32
  • Updated Date: 2025-02-19 17:15:16

More Details

CVE-2025-24965