CVE-2025-9566

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-9566
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-9566.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-9566
Aliases
Downstream
Related
Published
2025-09-05T20:15:36Z
Modified
2025-09-17T09:11:03.690062Z
Summary
[none]
Details

There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.

Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1

References

Affected packages

Debian:11 / libpod

Package

Name
libpod
Purl
pkg:deb/debian/libpod?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.1+dfsg1-3
3.0.1+dfsg1-3+deb11u1
3.0.1+dfsg1-3+deb11u2
3.0.1+dfsg1-3+deb11u3
3.0.1+dfsg1-3+deb11u4
3.0.1+dfsg1-3+deb11u5
3.1.0+ds1-1
3.1.2+ds1-1
3.2.0+ds5-1
3.2.0+ds5-2
3.2.1+ds1-1
3.2.1+ds1-2
3.2.2+ds1-1
3.2.3+ds1-1
3.3.0+ds2-1
3.3.0+ds2-2
3.3.1+ds2-1
3.4.0+ds1-1
3.4.1+ds1-1
3.4.1+ds1-2
3.4.2+ds1-1
3.4.3+ds1-1
3.4.4+ds1-1
3.4.6+ds1-1
3.4.7+ds1-1
3.4.7+ds1-2
3.4.7+ds1-3

4.*

4.0.0~rc5+ds1-1
4.0.1+ds1-1
4.0.1+ds1-2
4.0.1+ds1-3
4.0.3+ds1-1
4.1.0+ds2-1
4.1.0+ds2-2
4.1.1+ds1-1
4.1.1+ds1-2
4.2.0+ds1-1
4.2.0+ds1-2
4.2.0+ds1-3
4.3.1+ds1-1
4.3.1+ds1-2
4.3.1+ds1-3
4.3.1+ds1-4
4.3.1+ds1-5
4.3.1+ds1-6
4.3.1+ds1-7
4.3.1+ds1-8
4.4.0+ds1-1
4.5.0+ds2-1
4.5.1+ds1-1
4.5.1+ds1-2
4.6.2+ds1-1
4.6.2+ds1-2
4.6.2+ds1-3
4.6.2+ds1-4
4.7.1+ds4-1
4.7.1+ds4-2
4.7.1+ds4-3
4.7.1+ds4-4
4.7.1+ds4-5
4.7.2+ds1-1
4.7.2+ds1-2
4.8.3+ds1-1
4.8.3+ds1-2
4.9.0+ds1-1
4.9.0+ds1-2
4.9.2+ds1-1
4.9.2+ds1-2
4.9.3+ds1-1
4.9.4+ds1-1
4.9.5+ds1-1

5.*

5.0.0+ds1-1
5.0.2+ds1-1
5.0.2+ds1-2
5.0.2+ds1-3
5.0.3+ds1-1
5.0.3+ds1-2
5.0.3+ds1-3
5.0.3+ds1-4
5.0.3+ds1-5
5.2.0+ds1-1
5.2.0+ds1-2
5.2.0+ds1-3
5.2.0+ds1-4
5.2.0+ds1-5
5.2.1+ds1-1
5.2.1+ds1-2
5.2.1+ds1-3
5.2.1+ds1-4
5.2.2+ds1-1
5.2.2+ds1-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / libpod

Package

Name
libpod
Purl
pkg:deb/debian/libpod?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.3.1+ds1-8
4.3.1+ds1-8+deb12u1
4.4.0+ds1-1
4.5.0+ds2-1
4.5.1+ds1-1
4.5.1+ds1-2
4.6.2+ds1-1
4.6.2+ds1-2
4.6.2+ds1-3
4.6.2+ds1-4
4.7.1+ds4-1
4.7.1+ds4-2
4.7.1+ds4-3
4.7.1+ds4-4
4.7.1+ds4-5
4.7.2+ds1-1
4.7.2+ds1-2
4.8.3+ds1-1
4.8.3+ds1-2
4.9.0+ds1-1
4.9.0+ds1-2
4.9.2+ds1-1
4.9.2+ds1-2
4.9.3+ds1-1
4.9.4+ds1-1
4.9.5+ds1-1

5.*

5.0.0+ds1-1
5.0.2+ds1-1
5.0.2+ds1-2
5.0.2+ds1-3
5.0.3+ds1-1
5.0.3+ds1-2
5.0.3+ds1-3
5.0.3+ds1-4
5.0.3+ds1-5
5.2.0+ds1-1
5.2.0+ds1-2
5.2.0+ds1-3
5.2.0+ds1-4
5.2.0+ds1-5
5.2.1+ds1-1
5.2.1+ds1-2
5.2.1+ds1-3
5.2.1+ds1-4
5.2.2+ds1-1
5.2.2+ds1-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / podman

Package

Name
podman
Purl
pkg:deb/debian/podman?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.4.2+ds1-2
5.6.1+ds1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / podman

Package

Name
podman
Purl
pkg:deb/debian/podman?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.4.2+ds1-2
5.6.1+ds1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}