GHSA-m6hq-p25p-ffr2

Suggest an improvement

Source

https://github.com/advisories/GHSA-m6hq-p25p-ffr2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-m6hq-p25p-ffr2/GHSA-m6hq-p25p-ffr2.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-m6hq-p25p-ffr2

Aliases

CVE-2025-64329

Downstream

MINI-2xcx-q8gp-cw8w

MINI-3h9r-ppvf-vc3g

MINI-48wm-grwf-fv24

MINI-4g3v-9xgc-54h6

MINI-5pj7-7mhh-qgf7

MINI-7m2q-24x2-3vcc

MINI-7wrp-5jq2-6687

MINI-8pg2-gfgx-24rm

MINI-c9v5-x7cm-w9mq

MINI-f5gc-jw8p-mwrx

MINI-f5mw-h448-vr9m

MINI-fwrw-xxhc-7h2w

MINI-jx8j-2q39-8973

MINI-mfjx-58f8-vpgq

MINI-pg56-g5f8-8j4m

MINI-rwcm-8j3c-v993

MINI-wjw7-7vx5-c8qc

MINI-xj8x-7833-3433

Related

Published

2025-11-06T23:32:23Z

Modified

2025-11-07T16:42:55Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

containerd CRI server: Host memory exhaustion through Attach goroutine leak

Details

Impact

A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.

Repetitive calls of CRI Attach (e.g., <code>kubectl attach</code>) could increase the memory usage of containerd.

Patches

This bug has been fixed in the following containerd versions:

2.2.0
2.1.5
2.0.7
1.7.29

Users should update to these versions to resolve the issue.

Workarounds

Set up an admission controller to control accesses to pods/attach resources. e.g., Validating Admission Policy.

Credits

The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329

For more information

If you have any questions or comments about this advisory:

Open an issue in containerd
Email us at security@containerd.io

To report a security issue in containerd:

Report a new vulnerability

Database specific

{
    "github_reviewed_at": "2025-11-06T23:32:23Z",
    "nvd_published_at": "2025-11-07T05:16:08Z",
    "cwe_ids": [
        "CWE-401"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

Go

github.com/containerd/containerd

Package

Name: github.com/containerd/containerd; View open source insights on deps.dev
Purl: pkg:golang/github.com/containerd/containerd

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.29

github.com/containerd/containerd/v2

Package

Name: github.com/containerd/containerd/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/containerd/containerd/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.7

github.com/containerd/containerd/v2

Package

Name: github.com/containerd/containerd/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/containerd/containerd/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.1.0-beta.0

Fixed

2.1.5

github.com/containerd/containerd/v2

Package

Name: github.com/containerd/containerd/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/containerd/containerd/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.2.0-beta.0

Fixed

2.2.0