CVE-2025-62161 HIGH

CVE-2025-62161: youki container escape via "masked path" abuse due to mount race conditions

Vendor Youki-Dev
Product youki
Weakness CWE-363
Published November 5, 2025
Last update November 6, 2025

CVSS base score

7.3/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7.

Key dates

02Disclosure timeline

November 5, 2025 CVE published
November 6, 2025 Record updated