Denial-of-Service Vulnerability in CRI-O by Red Hat
CVE-2025-4437

5.7MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Container Platform 4
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-4437?

A vulnerability exists in the CRI-O application where the use of a non-existent user in the securityContext.runAsUser may trigger CRI-O to attempt user creation. This process reads the entire /etc/passwd file into memory, which can lead to excessive memory usage. When this occurs, it risks causing applications to be terminated due to out-of-memory conditions, potentially resulting in a denial-of-service scenario that disrupts other operational pods and services on the same host.

References

https://access.redhat.com/security/cve/CVE-2025-4437

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2375084

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
May 8, 2025

Credit

Red Hat would like to thank Dongha Kim (BoB Project Team, Pirates) for reporting this issue.