Wiz
Vulnerability DatabaseCVE-2025-31133

CVE-2025-31133
cAdvisor vulnerability analysis and mitigation

Overview

CVE-2025-31133 affects runc, a CLI tool for spawning and running containers according to the OCI specification. The vulnerability was discovered in November 2025 and affects versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, and 1.4.0-rc.1 through 1.4.0-rc.2. The issue stems from insufficient verification of the bind-mount source when using the container's /dev/null for masking paths (NVD, GitHub Advisory).

Technical details

The vulnerability exploits flaws in how runc implements the maskedPaths feature, which is designed to protect sensitive host files from access by containers. When using /dev/null to mask files, runc fails to properly verify that the source is actually a legitimate /dev/null inode. The issue has been assigned a CVSS v4.0 base score of 7.3 (High) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (Sysdig, GitHub Advisory).

Impact

The vulnerability exposes two methods of attack: an arbitrary mount gadget that can lead to host information disclosure, host denial of service, container escape, or bypassing of maskedPaths. The arbitrary mount gadget allows attackers to bind-mount arbitrary host paths into the container, enabling write access to critical files such as /proc/sys/kernel/core_pattern. This can result in container escape and full root privileges over the host system (GitHub Advisory, Sysdig).

Mitigation and workarounds

The vulnerability has been fixed in runc versions 1.2.8, 1.3.3, and 1.4.0-rc.3. Recommended mitigations include: using containers with user namespaces, configuring containers to not permit processes to run with root privileges, avoiding untrusted container images, and enabling AppArmor profiles. AWS, ECS, EKS, and other platforms have released updates as of November 5, 2025 (AWS Security Bulletin, GitHub Advisory).

Community reactions

Major cloud providers and container platforms have responded quickly to the vulnerability. Amazon Web Services has released updates for their container services including ECS, EKS, and Fargate. They have emphasized that there is no cross-customer risk from these issues as AWS does not consider containers a security boundary for customer isolation (AWS Security Bulletin).

Additional resources

SourceThis report was generated using AI

Related cAdvisor vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-65637HIGH7.5
  • cAdvisorcAdvisor
  • src-fingerprint-fips
NoYesDec 04, 2025
CVE-2025-61729HIGH7.5
  • cAdvisorcAdvisor
  • consul-k8s-fips-1.5
NoYesDec 02, 2025
CVE-2025-61727MEDIUM6.5
  • cAdvisorcAdvisor
  • gitaly-fips-18.6
NoYesDec 03, 2025
CVE-2025-58181MEDIUM5.3
  • cAdvisorcAdvisor
  • kuma-2.11
NoYesNov 19, 2025
CVE-2025-47914MEDIUM5.3
  • cAdvisorcAdvisor
  • atlantis-fips
NoYesNov 19, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo