CVE-2025-47290

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-47290

Severity

Unknown

Summary

Containerd vulnerable to host filesystem access during image unpack

Description

containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

References

https://images.chainguard.dev/security/CGA-6354-g7fq-j3f2
https://github.com/advisories/GHSA-cm76-qm8v-3j95
https://images.chainguard.dev/security/CGA-7wq8-m8r5-pm45
https://images.chainguard.dev/security/CGA-9hpw-q2cj-jx42
https://images.chainguard.dev/security/CGA-3v7w-hmw2-rf77
https://images.chainguard.dev/security/CGA-382q-h364-p3hj
https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95
https://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc
https://github.com/containerd/containerd/releases/tag/v2.1.1

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2025-47290

Severity

Summary

Description

References

Affected packages

Product

Solutions

Customers

Resources

Company