CVE-2025-65105 MEDIUM

CVE-2025-65105: Apptainer ineffective application of selinux and apparmor --security options

Vendor Apptainer
Product apptainer
Weakness CWE-61
Published December 2, 2025
Last update December 2, 2025

CVSS base score

4.5/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5.

Key dates

02Disclosure timeline

December 2, 2025 CVE published
December 2, 2025 Record updated