GHSA-j26p-6wx7-f3pw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j26p-6wx7-f3pw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-j26p-6wx7-f3pw/GHSA-j26p-6wx7-f3pw.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-j26p-6wx7-f3pw
- Aliases
- Published
- 2025-08-14T16:39:04Z
- Modified
- 2025-08-14T19:37:22Z
- Severity
-
- 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Youki: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.
- Details
-
Summary
If
/procand/sysin the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.Details
For security reasons, container creation should be prohibited if
/procor/sysin the rootfs is a symbolic link. I verified this behavior withyouki. When/procor/sysis a symbolic link,runcfails to create the container, whereasyoukisuccessfully creates it.This is the fix related to this issue in
runc. * https://github.com/opencontainers/runc/pull/3756 * https://github.com/opencontainers/runc/pull/3773 * https://github.com/opencontainers/runc/blob/main/libcontainer/rootfs_linux.go#L590 * https://github.com/opencontainers/runc/blob/main/tests/integration/mask.bats#L60Impact
The following advisory appears to be related to this vulnerability: * https://github.com/advisories/GHSA-vpvm-3wq2-2wvm * https://github.com/advisories/GHSA-fh74-hm69-rqjw
- Database specific
{ "github_reviewed_at": "2025-08-14T16:39:04Z", "severity": "HIGH", "nvd_published_at": "2025-08-14T16:15:39Z", "github_reviewed": true, "cwe_ids": [ "CWE-61" ] }- References
Affected packages
crates.io / youki
Package
- Name
- youki
- View open source insights on deps.dev
- Purl
- pkg:cargo/youki