CVE-2025-54867UNIX Symbolic Link (Symlink) Following in Youki

CWE-61UNIX Symbolic Link (Symlink) Following4 documents4 sources
Severity
7.0HIGHNVD
EPSS
0.0%
top 94.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Youki-dev Youki
Timeline
PublishedAug 14

Description

Youki is a container runtime written in Rust. Prior to version 0.5.5, if /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. This issue has been patched in version 0.5.5.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages3 packages

CVEListV5youki-dev/youki< 0.5.5
NVDyouki-dev/youki< 0.5.5
crates.ioyouki-dev/youki< 0.5.5

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Youki: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.2025-08-14
CVEList
Youki Symlink Following Vulnerability2025-08-14
GHSA
Youki: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.2025-08-14
CVE-2025-54867 — UNIX Symbolic Link (Symlink) Following | cvebase