Crun Container Runtime Vulnerability Permits File Modification on Host Systems
CVE-2025-24965

8.5HIGH

Key Information:

Vendor

Containers

Status
Crun
Vendor
CVE Published:
19 February 2025

What is CVE-2025-24965?

The crun container runtime, a widely used open-source tool for managing containerized applications, has a vulnerability that allows a malicious container image to escape its root filesystem. This escape can enable unauthorized file creation or modification on the host machine without requiring elevated privileges. To mitigate this issue, users are strongly encouraged to upgrade to crun version 1.20, as no workarounds are available. For detailed information about the vulnerability, refer to the official security advisory linked.

Affected Version(s)

crun < 1.20

References

https://github.com/containers/crun/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/containers/crun/commit/0aec82c2b686f0b...
x_refsource_MISC
https://github.com/containers/crun/releases/tag/1.20
x_refsource_MISC

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.