cvelistv5 - cve-2025-64750

CVE-2025-64750 (GCVE-0-2025-64750)

Vulnerability from cvelistv5

Published

2025-12-02 17:25

Modified

2025-12-02 17:54

Severity ?

4.5 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-706 - Use of Incorrectly-Resolved Name or Reference

Summary

SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5.

References

URL

Tags

	security-advisories@github.com	https://github.com/advisories/GHSA-fh74-hm69-rqjw
	security-advisories@github.com	https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
	security-advisories@github.com	https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33
	security-advisories@github.com	https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0
	security-advisories@github.com	https://github.com/sylabs/singularity/pull/3850
	security-advisories@github.com	https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87

Impacted products

	Vendor	Product	Version
	sylabs	singularity	Version: > 4.2.0-rc.1, < 4.3.5 Version: < 4.1.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64750",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T17:47:25.267107Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T17:54:44.920Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "singularity",
          "vendor": "sylabs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e 4.2.0-rc.1, \u003c 4.3.5"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-706",
              "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-02T17:27:55.155Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"
        },
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
        },
        {
          "name": "https://github.com/sylabs/singularity/pull/3850",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sylabs/singularity/pull/3850"
        },
        {
          "name": "https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33"
        },
        {
          "name": "https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0"
        },
        {
          "name": "https://github.com/advisories/GHSA-fh74-hm69-rqjw",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-fh74-hm69-rqjw"
        }
      ],
      "source": {
        "advisory": "GHSA-wwrx-w7c9-rf87",
        "discovery": "UNKNOWN"
      },
      "title": "Singluarity ineffectively applies of selinux / apparmor LSM process labels"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64750",
    "datePublished": "2025-12-02T17:25:55.825Z",
    "dateReserved": "2025-11-10T22:29:34.873Z",
    "dateUpdated": "2025-12-02T17:54:44.920Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-64750\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-02T18:15:48.750\",\"lastModified\":\"2025-12-04T17:15:25.860\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":4.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.0,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-61\"},{\"lang\":\"en\",\"value\":\"CWE-706\"}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-fh74-hm69-rqjw\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sylabs/singularity/pull/3850\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64750\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-02T17:47:25.267107Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-02T17:53:24.707Z\"}}], \"cna\": {\"title\": \"Singluarity ineffectively applies of selinux / apparmor LSM process labels\", \"source\": {\"advisory\": \"GHSA-wwrx-w7c9-rf87\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"sylabs\", \"product\": \"singularity\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e 4.2.0-rc.1, \u003c 4.3.5\"}, {\"status\": \"affected\", \"version\": \"\u003c 4.1.11\"}]}], \"references\": [{\"url\": \"https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87\", \"name\": \"https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\", \"name\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/sylabs/singularity/pull/3850\", \"name\": \"https://github.com/sylabs/singularity/pull/3850\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33\", \"name\": \"https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0\", \"name\": \"https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/advisories/GHSA-fh74-hm69-rqjw\", \"name\": \"https://github.com/advisories/GHSA-fh74-hm69-rqjw\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-61\", \"description\": \"CWE-61: UNIX Symbolic Link (Symlink) Following\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-706\", \"description\": \"CWE-706: Use of Incorrectly-Resolved Name or Reference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-02T17:27:55.155Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-64750\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-02T17:54:44.920Z\", \"dateReserved\": \"2025-11-10T22:29:34.873Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-02T17:25:55.825Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

ghsa-wwrx-w7c9-rf87

Vulnerability from github

Published

2025-12-02 21:07

Modified

2025-12-09 19:51

Severity ?

4.5 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Summary

Singluarity ineffectively applies selinux / apparmor LSM process labels

Details

Impact

Native Mode (default)

Singularity's default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the --security selinux:<label> or --security apparmor:<profile> flags.

LSM labels are written to process or thread attrs/exec under /proc. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. This requires:

The attacker to cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container.
Control of the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from.

Note that Singularity does not attempt to prevent damaging operations, or container escape, from containers that are started as the host root user. When a non-root user starts a container any LSM writes to /proc are performed as that user. For these reasons, the denial-of-service and container escape attacks detailed in runc CVE-2025-52881 are not relevant. Processes running in non-root containers are subject to the standard permissions for the non-root account used, and cannot escalate privilege, even when intended container-specific LSM labels are not correctly applied.

In addition, a bug in the detection of selinux support in Singularity's default setuid flow means that --security selinux:<label> flags may not be applied, even in the absence of an attack - but in this case a warning message is emitted, indicating that selinux is unavailable. This warning may be may be overlooked, mis-interpreted, or not seen when singularity is run from a script or other tool. Failure to apply requested restrictions should result in a fatal error, rather than a warning message.

OCI-Mode

Singularity's OCI-mode is unaffected as it does not currently support applying LSM restrictions via the --security flag.

Patches

Ineffective write of selinux process labels is addressed via an update to the containers/selinux dependency in https://github.com/sylabs/singularity/pull/3850. This update brings in the upstream fix for CVE-2025-52881 in this dependency.

Ineffective write of apparmor process labels is addressed in commit 5af3e79.

Failure to detect apparmor / selinux support, when --security flags are provided, is made an error rather than a warning in commit 2788296.

Workarounds

There are no known workarounds, other than to define system-wide apparmor / selinux policy for Singularity itself. This would apply to all containers, not just those run with the --security flags. Additionally, restrictions that are reasonable to apply to container processes may impact the functionality of Singularity.

References

Related vulnerabilities in runc:

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/singularity/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0-rc.1"
            },
            {
              "fixed": "4.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/singularity/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61",
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T21:07:02Z",
    "nvd_published_at": "2025-12-02T18:15:48Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n_**Native Mode (default)**_\n\nSingularity\u0027s default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the `--security selinux:\u003clabel\u003e` or `--security apparmor:\u003cprofile\u003e` flags.\n\nLSM labels are written to process or thread `attrs/exec` under `/proc`. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. This requires:\n\n* The attacker to cause the user to run a malicious container image that redirects the mount of `/proc` to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container.\n* Control of the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from.\n\nNote that Singularity does not attempt to prevent damaging operations, or container escape, from containers that are started as the host root user. When a non-root user starts a container any LSM writes to /proc are performed as that user. For these reasons, the denial-of-service and container escape attacks detailed in [runc CVE-2025-52881](https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm) are not relevant. Processes running in non-root containers are subject to the standard permissions for the non-root account used, and cannot escalate privilege, even when intended container-specific LSM labels are not correctly applied.\n\nIn addition, a bug in the detection of selinux support in Singularity\u0027s default setuid flow means that `--security selinux:\u003clabel\u003e` flags may not be applied, even in the absence of an attack  - but in this case a warning message is emitted, indicating that selinux is unavailable. This warning may be may be overlooked, mis-interpreted, or not seen when singularity is run from a script or other tool. Failure to apply requested restrictions should result in a fatal error, rather than a warning message.\n\n_**OCI-Mode**_\n\nSingularity\u0027s OCI-mode is unaffected as it does not currently support applying LSM restrictions via the `--security` flag.\n\n### Patches\n\nIneffective write of selinux process labels is addressed via an update to the containers/selinux dependency in https://github.com/sylabs/singularity/pull/3850. This update brings in the upstream fix for CVE-2025-52881 in this dependency.\n\nIneffective write of apparmor process labels is addressed in commit 5af3e79.\n\nFailure to detect apparmor / selinux support, when `--security` flags are provided, is made an error rather than a warning in commit 2788296.\n\n### Workarounds\n\nThere are no known workarounds, other than to define system-wide apparmor / selinux policy for Singularity itself. This would apply to all containers, not just those run with the `--security` flags. Additionally, restrictions that are reasonable to apply to container processes may impact the functionality of Singularity.\n\n### References\n\nRelated vulnerabilities in runc:\n\n* [runc CVE-2025-52881](https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm)\n* [runc CVE-2019-19921](https://github.com/advisories/GHSA-fh74-hm69-rqjw)",
  "id": "GHSA-wwrx-w7c9-rf87",
  "modified": "2025-12-09T19:51:27Z",
  "published": "2025-12-02T21:07:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/pull/3850"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fh74-hm69-rqjw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sylabs/singularity"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4177"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Singluarity ineffectively applies selinux / apparmor LSM process labels"
}

fkie_cve-2025-64750

Vulnerability from fkie_nvd

Published

2025-12-02 18:15

Modified

2025-12-04 17:15

Severity ?

4.5 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/advisories/GHSA-fh74-hm69-rqjw
	security-advisories@github.com	https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
	security-advisories@github.com	https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33
	security-advisories@github.com	https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0
	security-advisories@github.com	https://github.com/sylabs/singularity/pull/3850
	security-advisories@github.com	https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5."
    }
  ],
  "id": "CVE-2025-64750",
  "lastModified": "2025-12-04T17:15:25.860",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 4.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-02T18:15:48.750",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/advisories/GHSA-fh74-hm69-rqjw"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sylabs/singularity/pull/3850"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-61"
        },
        {
          "lang": "en",
          "value": "CWE-706"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-64750 (GCVE-0-2025-64750)

Vulnerability from cvelistv5

ghsa-wwrx-w7c9-rf87

Vulnerability from github

Impact

Patches

Workarounds

References

fkie_cve-2025-64750

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature