CVE-2025-54867: 
Rust vulnerability analysis and mitigation

Youki, a container runtime written in Rust, was found to have a security vulnerability (CVE-2025-54867) prior to version 0.5.5. The vulnerability was discovered on August 14, 2025, where if /proc and /sys in the rootfs are symbolic links, they could potentially be exploited to gain access to the host root filesystem (GitHub Advisory).

The vulnerability stems from improper handling of symbolic links in the container's rootfs. When /proc or /sys is configured as a symbolic link, Youki would successfully create the container instead of failing, which differs from the expected security behavior implemented in other container runtimes like runc. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (High) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access required, high attack complexity, and potential for high impact on confidentiality, integrity, and availability (GitHub Advisory).

If exploited, this vulnerability could allow an attacker to gain unauthorized access to the host root filesystem, potentially compromising the entire host system's security. This represents a significant container escape vulnerability that could lead to complete system compromise (GitHub Advisory).

The vulnerability has been patched in Youki version 0.5.5. Users are advised to upgrade to this version or later. The fix includes proper validation of /proc and /sys mount points to ensure they are not symbolic links, similar to the security measures implemented in runc (GitHub Release).