CVE-2025-65105

EUVD-2025-200292

02.12.2025, 18:15

Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5.

Symlink

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.5 MEDIUM	LOCAL	HIGH	NONE	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
lfprojects	apptainer	𝑥 < 1.4.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

apptainer

forky	1.4.5-2 fixed
sid	1.4.5-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

apptainer

jammy	dne
noble	dne
plucky	dne
questing	needs-triage
resolute	needs-triage

openSUSE / SLES Releases

openSUSE Product

Release

apptainer

suse enterprise server 15 SP6

1.4.5-150600.4.12.1

fixed

apptainer-sle15_6

suse enterprise server 15 SP6

1.4.5-150600.4.12.1

fixed

libsquashfuse0

suse enterprise server 15 SP6

0.5.0-150600.3.2.1

fixed

squashfuse

suse enterprise server 15 SP6

0.5.0-150600.3.2.1

fixed

squashfuse-tools

suse enterprise server 15 SP6

0.5.0-150600.3.2.1

fixed

Common Weakness Enumeration

CWE-61 - UNIX Symbolic Link (Symlink) Following
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

References

https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981

https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2

https://github.com/apptainer/apptainer/pull/3226

https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j

https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm

https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87