CVE-2025-62596

EUVD-2025-37938

06.11.2025, 00:15

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target. This issue is fixed in version 0.5.7.

Symlink

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Affected Products (NVD)

Vendor	Product	Version
youki-dev	youki	𝑥 < 0.5.7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-61 - UNIX Symbolic Link (Symlink) Following
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

References

https://github.com/youki-dev/youki/commit/5886c91073b9be748bd8d5aed49c4a820548030a

https://github.com/youki-dev/youki/security/advisories/GHSA-vf95-55w6-qmrf

https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs

https://youtu.be/tGseJW_uBB8

https://youtu.be/y1PaBzxwRWQ