CVE-2025-62161: 
Rust vulnerability analysis and mitigation

Youki, a container runtime written in Rust, contains a vulnerability (CVE-2025-62161) in versions 0.5.6 and below where insufficient validation of the source /dev/null allows container escape when utilizing bind mounting the container's /dev/null as a file mask. The vulnerability was discovered in November 2025 and has been fixed in version 0.5.7 (GitHub Advisory, NVD).

The vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) race condition in the youki container runtime's handling of 'masked paths'. The issue stems from insufficient initial validation of /dev/null and a timing vulnerability between validation and the actual mount operation. By replacing /dev/null with a symbolic link, an attacker can bind-mount arbitrary files from the host system. The vulnerability has received a CVSS v4.0 base score of 7.3 (High) with vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H, and a CVSS v3.1 base score of 10.0 (Critical) (Miggo, NVD).

The vulnerability allows attackers to escape container isolation by exploiting the mount race condition, potentially gaining access to arbitrary files from the host system. This poses a significant security risk as it compromises the container's isolation boundaries and could lead to unauthorized access to host system resources (GitHub Advisory).

Users should upgrade to Youki version 0.5.7 or later, which includes the fix for this vulnerability. The patch implements secure file descriptor handling and proper validation of /dev/null to prevent the race condition (GitHub Advisory).

The vulnerability was initially discovered in runc by Lei Wang (@ssst0n3) from Huawei, with additional attack vectors found by Li Fubang (@lifubang) from acmcoder.com. The youki team, with assistance from @cyphar, verified and addressed similar issues in their implementation (GitHub Advisory).