CVE-2025-54867 in youki
Summary
by MITRE • 08/14/2025
Youki is a container runtime written in Rust. Prior to version 0.5.5, if /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. This issue has been patched in version 0.5.5.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/11/2025
The vulnerability identified as CVE-2025-54867 affects Youki, a container runtime implementation written in Rust that serves as an alternative to traditional container runtimes like containerd or runc. This security flaw exists in versions prior to 0.5.5 and represents a critical privilege escalation risk within containerized environments. The issue stems from improper handling of symbolic links within the container's root filesystem, specifically concerning the /proc and /sys mount points that are commonly used for container isolation and system access control.
The technical root cause of this vulnerability lies in how Youki processes symbolic links when mounting the root filesystem for containers. When /proc and /sys directories within the container's rootfs are symbolic links pointing to host locations, the runtime fails to properly validate or restrict access to these paths. This misconfiguration allows containerized processes to traverse the symbolic links and potentially access host filesystem components that should remain isolated. The flaw essentially creates a path traversal scenario where the symbolic link resolution bypasses normal container security boundaries, enabling unauthorized access to host resources.
From an operational perspective, this vulnerability presents a severe threat to container security and system integrity. An attacker who can influence or control the symbolic link setup within a container environment could potentially escalate privileges and gain access to the host's root filesystem. This access could enable the execution of arbitrary code on the host system, compromise other containers running on the same host, and ultimately lead to full system takeover. The impact extends beyond individual container compromise as it affects the fundamental security model of container isolation that organizations rely upon for microservices and cloud-native deployments.
The vulnerability aligns with CWE-22 Path Traversal and CWE-23 Relative Path Traversal, which specifically address improper handling of symbolic links and path resolution in security contexts. It also maps to several ATT&CK techniques including T1059 Command and Scripting Interpreter for executing commands and T1068 Exploitation for Windows privilege escalation. Organizations using Youki as their container runtime should immediately upgrade to version 0.5.5 or later to mitigate this risk. The fix implemented in version 0.5.5 addresses the symbolic link resolution logic to ensure proper validation of mount paths and prevents unauthorized access to host filesystem components. System administrators should conduct comprehensive audits of their container environments to identify any instances where /proc and /sys symbolic links might exist, and implement additional monitoring to detect potential exploitation attempts. Organizations should also review their container image creation processes to prevent the introduction of symbolic links that could exacerbate this vulnerability, particularly in development and testing environments where such configurations might be more prevalent.