CVE-2025-64750 — UNIX Symbolic Link (Symlink) Following in Singularity

CWE-61 — UNIX Symbolic Link (Symlink) Following CWE-706 — Use of Incorrectly-Resolved Name or Reference7 documents5 sources

Severity

4.5MEDIUMNVD

GHSA7.3OSV7.3

EPSS

0.0%

top 96.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sylabs Singularity Github.com Sylabs Singularity V4

Timeline

PublishedDec 2

Latest updateDec 8

Description

SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the t…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:LExploitability: 1.0 | Impact: 3.4

Affected Packages2 packages

▶CVEListV5sylabs/singularity< 4.1.11+1

▶Gogithub.com/sylabs_singularity_v44.2.0-rc.1 — 4.3.5+1

🔴Vulnerability Details

OSV

Singularity ineffectively applies of selinux / apparmor LSM process labels in github.com/sylabs/singularity↗2025-12-08

▶

GHSA

Singluarity ineffectively applies selinux / apparmor LSM process labels↗2025-12-02

▶

OSV

Singluarity ineffectively applies selinux / apparmor LSM process labels↗2025-12-02

▶

CVEList

Singluarity ineffectively applies of selinux / apparmor LSM process labels↗2025-12-02

▶

OSV

CVE-2025-64750: SingularityCE and SingularityPRO are open source container platforms↗2025-12-02

▶

📋Vendor Advisories

Debian

CVE-2025-64750: singularity-container - SingularityCE and SingularityPRO are open source container platforms. Prior to S...↗2025

▶