Nixpkgs security tracker

Permalink CVE-2025-4953

7.4 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 2 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 7 months, 3 weeks ago
@LeSuisse ignored
7 packages
- podman-tui
- podman-bootc
- podman-compose
- podman-desktop
- nomad-driver-podman
- python312Packages.podman
- python313Packages.podman
6 months, 1 week ago
@LeSuisse accepted 6 months, 1 week ago
@LeSuisse deleted
2 maintainers
- @saschagrunert
- @vdemeester
2 months, 2 weeks ago maintainer.delete
@LeSuisse published on GitHub 2 months, 2 weeks ago

Podman: build context bind mount

A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.

References

https://access.redhat.com/security/cve/CVE-2025-4953 vdb-entryx_refsource_REDHAT
RHBZ#2367235 issue-trackingx_refsource_REDHAT
RHSA-2025:16724 x_refsource_REDHATvendor-advisory
RHSA-2025:16729 x_refsource_REDHATvendor-advisory
RHSA-2025:17669 x_refsource_REDHATvendor-advisory
https://github.com/containers/podman/pull/25173
RHSA-2025:15904 x_refsource_REDHATvendor-advisory
RHSA-2024:8690 x_refsource_REDHATvendor-advisory
RHSA-2025:2703 x_refsource_REDHATvendor-advisory
RHSA-2025:22265 x_refsource_REDHATvendor-advisory
RHSA-2025:22275 x_refsource_REDHATvendor-advisory
RHSA-2025:22695 x_refsource_REDHATvendor-advisory
RHSA-2025:22724 x_refsource_REDHATvendor-advisory
RHSA-2025:22732 x_refsource_REDHATvendor-advisory
RHSA-2025:23113 x_refsource_REDHATvendor-advisory
RHSA-2026:0316 x_refsource_REDHATvendor-advisory

Affected products

runc

cri-o

rhcos

conmon

kernel

podman

skopeo

buildah

haproxy

ignition

cri-tools

kernel-rt

openshift

openshift-kuryr

openshift-ansible

openshift-clients

openshift4-aws-iso

container-tools:rhel8

containernetworking-plugins

container-tools:rhel8/podman

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

nixos-unstable -
- nixpkgs-unstable 5.6.1

Ignored packages (7)

pkgs.podman-tui

Podman Terminal UI

nixos-unstable -
- nixpkgs-unstable 1.8.0

pkgs.podman-bootc

Streamlining podman+bootc interactions

nixos-unstable -
- nixpkgs-unstable 0.1.2

pkgs.podman-compose

Implementation of docker-compose with podman backend

nixos-unstable -
- nixpkgs-unstable 1.5.0

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

nixos-unstable -
- nixpkgs-unstable 1.21.0

pkgs.nomad-driver-podman

Podman task driver for Nomad

nixos-unstable -
- nixpkgs-unstable 0.6.3

pkgs.python312Packages.podman

Python bindings for Podman's RESTful API

nixos-unstable -
- nixpkgs-unstable 5.6.0

pkgs.python313Packages.podman