CVE-2025-0750
📋 TL;DR
A path traversal vulnerability in CRI-O's log management functions (UnMountPodLogs and LinkContainerLogs) allows attackers with Pod creation/deletion permissions to unmount arbitrary host paths. This can lead to node-level denial of service by unmounting critical system directories. Affects Kubernetes/OpenShift clusters using vulnerable CRI-O versions.
💻 Affected Systems
- CRI-O
- OpenShift Container Platform
- Kubernetes clusters using CRI-O
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete node unavailability by unmounting critical filesystems like /, /var, or /etc, causing system crashes and data corruption.
Likely Case
Targeted unmounting of application directories causing service disruption, potential data loss, and container runtime failures.
If Mitigated
Limited impact if RBAC restricts Pod creation/deletion to trusted users and network policies limit attack surface.
🎯 Exploit Status
Requires authenticated access to Kubernetes API with Pod management permissions. Exploitation involves crafting malicious Pod configurations to trigger path traversal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CRI-O 1.31.0, 1.30.0-rc.2, 1.29.0-rc.2, 1.28.0-rc.2 or later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:1122
Restart Required: Yes
Instructions:
1. Update CRI-O to patched version using your package manager. 2. For OpenShift: Update to version containing fix via OpenShift Update Service. 3. Restart CRI-O service: systemctl restart crio. 4. Restart affected containers/nodes.
🔧 Temporary Workarounds
Restrict Pod Management Permissions
linuxLimit create/delete Pod permissions to trusted users via Kubernetes RBAC.
kubectl create role pod-manager --verb=create,delete --resource=pods
kubectl create rolebinding pod-manager-binding --role=pod-manager --user=trusted-user
Monitor Unmount Operations
linuxSet up auditing for mount/unmount system calls on nodes.
auditctl -a always,exit -F arch=b64 -S umount2 -k crio-unmount
🧯 If You Can't Patch
- Implement strict RBAC to limit Pod creation/deletion to essential personnel only.
- Deploy network policies to restrict access to Kubernetes API server from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check CRI-O version: crio --version. If version is before 1.31.0, 1.30.0-rc.2, 1.29.0-rc.2, or 1.28.0-rc.2, system is vulnerable.Check Version:
crio --versionVerify Fix Applied:
Verify CRI-O version is patched: crio --version | grep -E '1\.(31\.0|30\.0-rc\.2|29\.0-rc\.2|28\.0-rc\.2)'. Test by attempting to create a Pod with path traversal payload (in safe environment).📡 Detection & Monitoring
Log Indicators:
- Unexpected unmount operations in system logs
- CRI-O logs showing path traversal attempts
- Kubernetes audit logs showing Pod creation with suspicious volume paths
Network Indicators:
- Unusual API calls to create/delete Pods from unexpected sources
SIEM Query:
source="kube-audit" AND (verb="create" OR verb="delete") AND objectRef.resource="pods" AND user.username NOT IN ("system:serviceaccount:kube-system:*", "trusted-users")