CVE-2025-6032 — Improper Certificate Validation in Containers Podman V5

CWE-295 — Improper Certificate Validation9 documents7 sources

Severity

8.3HIGHNVD

EPSS

0.1%

top 77.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Podman Project Podman Github.com Containers Podman V5 Github.com Containers Podman V4

Timeline

PublishedJun 24

Latest updateJul 28

Description

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.6 | Impact: 6.0

Affected Packages3 packages

▶Gogithub.com/containers_podman_v5< 5.5.2

▶Debianpodman_project/podman< 5.4.2+ds1-2+1

▶Gogithub.com/containers_podman_v44.8.0 — 4.9.5+1

🔴Vulnerability Details

OSV

Podman Improper Certificate Validation; machine missing TLS verification in github.com/containers/podman↗2025-07-28

▶

OSV

Podman Improper Certificate Validation; machine missing TLS verification↗2025-06-25

▶

GHSA

Podman Improper Certificate Validation; machine missing TLS verification↗2025-06-25

▶

OSV

CVE-2025-6032: A flaw was found in Podman↗2025-06-24

▶

CVEList

Podman: podman missing tls verification↗2025-06-24

▶

📋Vendor Advisories

Red Hat

podman: podman missing TLS verification↗2025-06-24

▶

Microsoft

Podman: podman missing tls verification↗2025-06-10

▶

Debian

CVE-2025-6032: libpod - A flaw was found in Podman. The podman machine init command fails to verify the ...↗2025

▶