CVE-2025-5981 in osv-scalibrinfo

Summary

by MITRE • 06/18/2025

Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/18/2025

The vulnerability identified as CVE-2025-5981 represents a critical path traversal flaw within the OSV-SCALIBR container image processing framework. This security weakness specifically manifests when the application's unpack() function handles container images through the --remote-image command line interface flag. The vulnerability allows an attacker to manipulate file paths during the extraction process, enabling arbitrary file write operations on the host system as the OSV-SCALIBR user context. This presents a significant escalation risk since the application typically operates with elevated privileges during container image processing, potentially allowing attackers to overwrite critical system files or inject malicious code into the host environment.

The technical exploitation of this vulnerability stems from inadequate input validation and path sanitization within the unpack() function implementation. When processing remote container images through the CLI interface, the application fails to properly validate or sanitize file paths contained within the container metadata, allowing attackers to craft malicious image content that includes directory traversal sequences such as ../ or ..\\. The vulnerability specifically affects the handling of container image archives where the application extracts files without proper bounds checking, enabling attackers to write files outside of the intended extraction directory. This flaw aligns with CWE-22 Path Traversal vulnerabilities and represents a direct violation of secure coding practices for file system operations.

The operational impact of CVE-2025-5981 extends beyond simple privilege escalation to encompass potential system compromise and data integrity violations. An attacker who successfully exploits this vulnerability can write arbitrary files to the host system, potentially leading to persistent backdoors, privilege escalation to root access, or system corruption. The attack surface is particularly concerning when considering that the vulnerability occurs during container image processing, which is a common operation in CI/CD pipelines and security scanning environments. This makes the vulnerability exploitable in automated workflows where untrusted container images are processed without proper sandboxing or security controls. The risk is amplified by the fact that container images are often pulled from public registries without proper verification, making this a widespread exposure across various deployment scenarios.

Security mitigations for CVE-2025-5981 should focus on implementing robust input validation and path sanitization within the unpack() function. Organizations should immediately implement strict file path validation that prevents directory traversal sequences from being processed during container image extraction. The recommended approach includes canonicalizing all file paths, implementing strict bounds checking, and ensuring that extracted files are confined to predetermined directories with appropriate access controls. Additionally, security controls should enforce the principle of least privilege by running the OSV-SCALIBR application with minimal necessary permissions and implementing containerization or sandboxing techniques to isolate image processing operations. Organizations should also consider implementing image verification mechanisms and content trust policies to prevent the processing of untrusted container images. From an ATT&CK framework perspective, this vulnerability maps to T1059 Command and Scripting Interpreter and T1566 Phishing, as exploitation typically occurs through the processing of malicious container images obtained from remote sources, making it a critical concern for organizations implementing container-based security controls and DevOps practices.

Responsible

Google

Reservation

06/10/2025

Disclosure

06/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00208

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!