CVE-2025-31133
- Source
- https://cve.org/CVERecord?id=CVE-2025-31133
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-31133.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-31133
- Aliases
- Downstream
- Related
- Published
- 2025-11-06T18:47:47.335Z
- Modified
- 2026-05-17T03:54:22.630237559Z
- Severity
-
- 7.3 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- runc container escape via "masked path" abuse due to mount race conditions
- Details
-
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
- Database specific
{ "cwe_ids": [ "CWE-363", "CWE-61" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31133.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31133.json
- https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
- https://nvd.nist.gov/vuln/detail/CVE-2025-31133
- https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522
- https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66
- https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f
- https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64