Path Traversal Vulnerability in OSV-SCALIBR Container Image Processing by Google
CVE-2025-5981

5.7MEDIUM

Key Information:

Vendor: Google
Status: Osv-scalibr
Vendor: CVE Published:; 18 June 2025

What is CVE-2025-5981?

A path traversal vulnerability exists in OSV-SCALIBR's unpack() function, which allows users to write arbitrary files on the host system. This issue arises when utilizing the --remote-image CLI flag with untrusted container images, potentially leading to unauthorized file access and manipulation.

Affected Version(s)

osv-scalibr 0.1.3 < 0.1.8

References

https://github.com/google/osv-scalibr/releases/tag/v0.1.8

https://github.com/google/osv-scalibr/commit/2444419b1818...

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2025
Vulnerability Reserved
Jun 10, 2025

Credit

Anthony Weems of Google's Cloud Vulnerability Research team

Simon Scannell of Google's Cloud Vulnerability Research team

Stefan Schiller of Google's Cloud Vulnerability Research team