CVE-2025-54867 – This vulnerability in Youki container runtime a... (How to Fix)

Q: What is the severity of CVE-2025-54867?

CVE-2025-54867 has a CVSS score of 7.0 (HIGH). This vulnerability in Youki container runtime allows attackers to escape container isolation and access the host filesystem when /proc and /sys in the rootfs are symbolic links. It affects Youki versions before 0.5.5. Containerized applications using vulnerable Youki versions are at risk of host compromise.

📋 TL;DR

This vulnerability in Youki container runtime allows attackers to escape container isolation and access the host filesystem when /proc and /sys in the rootfs are symbolic links. It affects Youki versions before 0.5.5. Containerized applications using vulnerable Youki versions are at risk of host compromise.

💻 Affected Systems

Products:

Youki container runtime

Versions: All versions before 0.5.5

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires containers with /proc or /sys as symbolic links in rootfs; typical container images may not have this configuration.

📦 What is this software?

Youki by Youki Dev

View all CVEs affecting Youki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full host root filesystem access leading to complete host compromise, data theft, and lateral movement to other containers or systems.

🟠

Likely Case

Container escape allowing attackers to read sensitive host files, modify system configurations, or install persistence mechanisms.

🟢

If Mitigated

Limited impact if containers run with minimal privileges, but still potential for information disclosure about host system.

🌐 Internet-Facing: MEDIUM - Requires container deployment with vulnerable runtime; direct internet exposure increases attack surface.

🏢 Internal Only: MEDIUM - Internal attackers or compromised containers could exploit this to escalate privileges to host level.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to create or modify container images with specific symlink configurations; not trivial but achievable by attackers with container creation privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.5

Vendor Advisory: https://github.com/youki-dev/youki/security/advisories/GHSA-j26p-6wx7-f3pw

Restart Required: Yes

Instructions:

1. Stop all containers running with Youki. 2. Update Youki to version 0.5.5 using your package manager or from GitHub releases. 3. Restart containers with updated runtime.

🔧 Temporary Workarounds

Disable symlinks in container rootfs

linux

Prevent containers from having /proc or /sys as symbolic links in their root filesystem

Ensure container images do not contain symlinks at /proc or /sys paths in rootfs

Use alternative container runtime

linux

Temporarily switch to runc or containerd while patching Youki

docker info --format '{{.ServerVersion}}'
Check current runtime and switch if using Youki

🧯 If You Can't Patch

Restrict container privileges using seccomp, AppArmor, or SELinux profiles
Implement network segmentation to isolate containers with vulnerable runtime

🔍 How to Verify

Check if Vulnerable:

Check Youki version: youki --version | grep -q '0\.5\.[0-4]\|0\.[0-4]\|^[0-4]\.[0-9]' && echo 'VULNERABLE'

Check Version:

youki --version

Verify Fix Applied:

Verify version is 0.5.5 or higher: youki --version | grep -q '0\.5\.5\|^0\.6\|^[1-9]' && echo 'PATCHED'

📡 Detection & Monitoring

Log Indicators:

Unusual access to host /proc or /sys paths from container processes
Container runtime errors related to symlink resolution

Network Indicators:

Unexpected outbound connections from container to host services

SIEM Query:

process.name:youki AND (event.action:symlink OR file.path:"/proc/*" OR file.path:"/sys/*")

📊 Metadata

CVE ID: CVE-2025-54867

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-61

EPSS Score: 0.02% exploit probability (3.8th percentile)

Published: August 14, 2025

Last Updated: November 10, 2025

🔗 References

https://github.com/youki-dev/youki/commit/0d9b4f2aa5ceaf988f3eb568711d2acf0a4ace37 Patch
https://github.com/youki-dev/youki/releases/tag/v0.5.5 Release Notes
https://github.com/youki-dev/youki/security/advisories/GHSA-j26p-6wx7-f3pw Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54867, you might also want to check these: