CVE-2025-31133: 
Podman Schwachstellenanalyse und -minderung

CVE-2025-31133 affects runc, a CLI tool for spawning and running containers according to the OCI specification. The vulnerability was discovered in November 2025 and affects versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, and 1.4.0-rc.1 through 1.4.0-rc.2. The issue stems from insufficient verification of the bind-mount source when using the container's /dev/null for masking paths (NVD, GitHub Advisory).

The vulnerability exploits flaws in how runc implements the maskedPaths feature, which is designed to protect sensitive host files from access by containers. When using /dev/null to mask files, runc fails to properly verify that the source is actually a legitimate /dev/null inode. The issue has been assigned a CVSS v4.0 base score of 7.3 (High) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (Sysdig, GitHub Advisory).

The vulnerability exposes two methods of attack: an arbitrary mount gadget that can lead to host information disclosure, host denial of service, container escape, or bypassing of maskedPaths. The arbitrary mount gadget allows attackers to bind-mount arbitrary host paths into the container, enabling write access to critical files such as /proc/sys/kernel/core_pattern. This can result in container escape and full root privileges over the host system (GitHub Advisory, Sysdig).

The vulnerability has been fixed in runc versions 1.2.8, 1.3.3, and 1.4.0-rc.3. Recommended mitigations include: using containers with user namespaces, configuring containers to not permit processes to run with root privileges, avoiding untrusted container images, and enabling AppArmor profiles. AWS, ECS, EKS, and other platforms have released updates as of November 5, 2025 (AWS Security Bulletin, GitHub Advisory).

Major cloud providers and container platforms have responded quickly to the vulnerability. Amazon Web Services has released updates for their container services including ECS, EKS, and Fargate. They have emphasized that there is no cross-customer risk from these issues as AWS does not consider containers a security boundary for customer isolation (AWS Security Bulletin).