Login Sign Up

CVE-2025-9566

8.1 HIGH
Path Traversal

📋 TL;DR

A path traversal vulnerability in Podman's kube play command allows attackers to overwrite arbitrary host files when Kubernetes YAML files contain symbolic links in Secret or ConfigMap volume mounts. This affects Podman users who run untrusted Kubernetes YAML files or have insufficient container isolation.

💻 Affected Systems

Products:
  • podman
Versions: v4.0.0 through v5.6.0
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires running 'podman kube play' with malicious YAML files containing symbolic links in Secret/ConfigMap volume mounts.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical system files could be overwritten, potentially leading to denial of service, privilege escalation, or system compromise if sensitive files are corrupted.

🟠

Likely Case

Local file corruption or denial of service affecting containerized applications, potentially disrupting services running on the host.

🟢

If Mitigated

Minimal impact if only trusted YAML files are used and proper container isolation is enforced.

🌐 Internet-Facing: LOW - Exploitation requires local access or ability to execute podman commands with malicious YAML files.
🏢 Internal Only: MEDIUM - Internal users with podman access could exploit this to disrupt services or corrupt files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to execute podman commands and provide malicious YAML files. Attacker controls target file path but not content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.6.1

Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:15900

Restart Required: No

Instructions:

1. Update podman to version 5.6.1 or later. 2. For Red Hat systems: 'sudo yum update podman' or 'sudo dnf update podman'. 3. Verify update with 'podman --version'.

🔧 Temporary Workarounds

Restrict kube play usage

linux

Limit podman kube play command usage to trusted users and audit YAML files for symbolic links in volume mounts.

# Implement access controls via sudoers or RBAC
# Example: restrict podman commands to specific users

Use container isolation

linux

Run podman with user namespaces or rootless mode to limit host file system access.

podman kube play --userns=keep-id
systemctl --user start podman.socket

🧯 If You Can't Patch

  • Audit all Kubernetes YAML files used with podman kube play for symbolic links in Secret/ConfigMap volume mounts.
  • Implement strict access controls: only allow trusted users to execute podman commands and validate YAML files before execution.

🔍 How to Verify

Check if Vulnerable:

Check podman version: if between v4.0.0 and v5.6.0 inclusive, system is vulnerable.

Check Version:

podman --version

Verify Fix Applied:

Confirm podman version is 5.6.1 or later with 'podman --version'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual podman kube play commands with custom YAML files
  • File modification errors in system logs from podman processes

Network Indicators:

  • N/A - local exploitation only

SIEM Query:

source="podman" AND "kube play" AND ("error" OR "permission denied")

📊 Metadata

CVE ID: CVE-2025-9566
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-22
EPSS Score: 0.17% exploit probability (38.3th percentile)
Published: September 5, 2025
Last Updated: February 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9566, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)