CVE-2025-47290

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-47290

Severity

5.9

Medium

CVSS V3

Description

containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

References

https://images.chainguard.dev/security/CGA-6354-g7fq-j3f2
https://github.com/advisories/GHSA-cm76-qm8v-3j95
https://images.chainguard.dev/security/CGA-7wq8-m8r5-pm45
https://images.chainguard.dev/security/CGA-9hpw-q2cj-jx42
https://images.chainguard.dev/security/CGA-3v7w-hmw2-rf77
https://images.chainguard.dev/security/CGA-382q-h364-p3hj
https://github.com/containerd/containerd/releases/tag/v2.1.1
https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95
https://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2025-47290

Severity

Description

References

Affected packages

Product

Solutions

Customers

Resources

Company