CVE-2025-62596
published 2025-11-06CVE-2025-62596: Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation…
PriorityP354critical10CVSS 3.1
AVNACLPRNUINSCCNIHAH
EPSS
0.23%
13.3th percentile
Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target. This issue is fixed in version 0.5.7.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| youki-dev | youki | < 0.5.7 | 0.5.7 |
| youki-dev | youki | >= 0 < 0.5.7 | 0.5.7 |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects
ghsa·2025-11-05
CVE-2025-62596 [HIGH] CWE-363 youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects
youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects
### Impact ###
youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations.
**Weak write-target check**
youki only verifies that the destination lies somewhere under procfs. As a result, a write intended for `/proc/self/attr/apparmor/exec` can succeed even if the path has been redirected to `/proc/sys/kernel/hostname`(which is also in procfs).
**Path substitution**
While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target.
This is a different project, but the core logic is s
OSV
youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects
osv·2025-11-05
CVE-2025-62596 [HIGH] youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects
youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects
### Impact ###
youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations.
**Weak write-target check**
youki only verifies that the destination lies somewhere under procfs. As a result, a write intended for `/proc/self/attr/apparmor/exec` can succeed even if the path has been redirected to `/proc/sys/kernel/hostname`(which is also in procfs).
**Path substitution**
While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target.
This is a different project, but the core logic is s
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-06
Published