CVE-2025-62161: 
Rust vulnerability analysis and mitigation

Youki, a container runtime written in Rust, has been found to contain a high-severity vulnerability (CVE-2025-62161) in versions 0.5.6 and below. The vulnerability stems from insufficient validation of the source /dev/null during bind mounting operations in the container's file masking process. The issue was discovered and disclosed in November 2025, affecting the cargo package youki (GitHub Advisory).

The vulnerability exists in the bind mounting process where youki performs file masking using /dev/null. The core issue lies in two aspects: first, the initial validation fails to verify the genuine presence of /dev/null, and second, there is a timing vulnerability between the validation and the actual mount operation. While the system does validate the existence of the /dev/null path within the container and checks for symbolic links, the race condition between validation and mounting creates a security gap. The vulnerability has been assigned a CVSS v4 score of 7.3 (High), with the following vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (GitHub Advisory).

The vulnerability allows an attacker to bind-mount arbitrary files from the host system by replacing /dev/null with a symbolic link during the race condition window. This can lead to container escape, potentially compromising the host system's confidentiality, integrity, and availability. The impact extends to both the vulnerable system and subsequent systems, with high severity ratings across all impact metrics (GitHub Advisory).

The vulnerability has been patched in version 0.5.5 of youki. Users are advised to upgrade to this version or later to mitigate the risk. Specific mitigation details are marked as TBD in the advisory (GitHub Advisory).

The vulnerability was initially discovered in runc by Lei Wang (@ssst0n3 from Huawei) and further expanded upon by Li Fubang (@lifubang from acmcoder.com, CIIC). The discovery process involved collaboration between security researchers, with @cyphar contributing to identifying the issue in youki, demonstrating the security community's collaborative approach to container runtime security (GitHub Advisory).