CVE-2025-47290: 
Docker Compose vulnerability analysis and mitigation

A critical Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in containerd version 2.1.0, tracked as CVE-2025-47290. Containerd, an industry-standard container runtime used in Kubernetes and Docker environments, is responsible for core container lifecycle operations including image storage, transfer, execution, and network management. The vulnerability was discovered in May 2025 and has been patched in version 2.1.1 (Containerd Advisory, Security Online).

The vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) flaw that occurs during the image unpacking process. During an image pull operation, specially crafted container images could manipulate symlinks or paths to write outside the container's intended boundaries. The vulnerability has been assigned a CVSS v4.0 score of 7.6 HIGH with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U (NVD).

When exploited, this vulnerability allows malicious container images to gain unauthorized access to the host filesystem, potentially overwriting critical host files. This is particularly dangerous in production container deployments where image pulls happen automatically and frequently (Security Online).

The vulnerability has been patched in containerd version 2.1.1. Users are strongly advised to update to this version. As a temporary workaround, organizations should ensure that only trusted images are used and that only trusted users have permissions to import images (Containerd Advisory).

The containerd project has acknowledged the contribution of Tõnis Tiigi for responsibly disclosing this issue in accordance with the containerd security policy (Containerd Advisory).