GHSA-m6hq-p25p-ffr2

Suggest an improvement
Source
https://github.com/advisories/GHSA-m6hq-p25p-ffr2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-m6hq-p25p-ffr2/GHSA-m6hq-p25p-ffr2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-m6hq-p25p-ffr2
Aliases
Downstream
Related
Published
2025-11-06T23:32:23Z
Modified
2026-01-30T02:35:49.279777Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
containerd CRI server: Host memory exhaustion through Attach goroutine leak
Details

Impact

A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.

Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.

Patches

This bug has been fixed in the following containerd versions:

  • 2.2.0
  • 2.1.5
  • 2.0.7
  • 1.7.29

Users should update to these versions to resolve the issue.

Workarounds

Set up an admission controller to control accesses to pods/attach resources. e.g., Validating Admission Policy.

Credits

The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

Database specific 
{
    "severity": "MODERATE",
    "github_reviewed_at": "2025-11-06T23:32:23Z",
    "nvd_published_at": "2025-11-07T05:16:08Z",
    "cwe_ids": [
        "CWE-401"
    ],
    "github_reviewed": true
}
References

Affected packages

Go
github.com/containerd/containerd

Package

Name
github.com/containerd/containerd
View open source insights on deps.dev
Purl
pkg:golang/github.com/containerd/containerd

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.29

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-m6hq-p25p-ffr2/GHSA-m6hq-p25p-ffr2.json"
github.com/containerd/containerd/v2

Package

Name
github.com/containerd/containerd/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/containerd/containerd/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.7

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-m6hq-p25p-ffr2/GHSA-m6hq-p25p-ffr2.json"
github.com/containerd/containerd/v2

Package

Name
github.com/containerd/containerd/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/containerd/containerd/v2

Affected ranges

Type
SEMVER
Events
Introduced
2.1.0-beta.0
Fixed
2.1.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-m6hq-p25p-ffr2/GHSA-m6hq-p25p-ffr2.json"
github.com/containerd/containerd/v2

Package

Name
github.com/containerd/containerd/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/containerd/containerd/v2

Affected ranges

Type
SEMVER
Events
Introduced
2.2.0-beta.0
Fixed
2.2.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-m6hq-p25p-ffr2/GHSA-m6hq-p25p-ffr2.json"