CVE-2025-47290 HIGH

CVE-2025-47290: Containerd vulnerable to host filesystem access during image unpack

Vendor Containerd
Product containerd
Weakness CWE-367
Published May 20, 2025
Last update May 20, 2025

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U

What the vulnerability does

01Description

containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

Key dates

02Disclosure timeline

May 20, 2025 CVE published
May 20, 2025 Record updated