Skip to main content
CVE Vulnerability Database

CVE-2025-4953: Podman Information Disclosure Vulnerability

CVE-2025-4953 is an information disclosure flaw in Podman where data written to RUN --mount=type=bind during builds persists on the host. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-4953 Overview

A vulnerability has been identified in Podman where data written to RUN --mount=type=bind mounts during the podman build process is not properly discarded. This flaw allows files created within the container during the build phase to persist in the temporary build context directory on the host system, potentially exposing sensitive data to unauthorized access.

Critical Impact

Files created during container builds can leak to the host filesystem, potentially exposing secrets, credentials, or sensitive configuration data to unauthorized users with access to the build context directory.

Affected Products

  • Podman container engine (unpatched versions)
  • Red Hat Enterprise Linux distributions using affected Podman versions
  • Container build environments utilizing RUN --mount=type=bind directives

Discovery Timeline

  • September 16, 2025 - CVE-2025-4953 published to NVD
  • January 15, 2026 - Last updated in NVD database

Technical Details for CVE-2025-4953

Vulnerability Analysis

This vulnerability is classified under CWE-378 (Creation of Temporary File With Insecure Permissions). The core issue lies in Podman's handling of bind mounts during the container build process. When a Containerfile specifies RUN --mount=type=bind, the build system creates a temporary mount point that should be ephemeral and isolated from the host filesystem.

However, due to improper cleanup mechanisms, data written to these bind mounts during build operations persists on the host system after the build completes. This breaks the expected isolation boundary between the container build environment and the host, creating an information disclosure pathway.

The vulnerability requires network-based attack complexity conditions to be met, as exploitation typically involves scenarios where an attacker can influence the build process or access shared build infrastructure.

Root Cause

The root cause stems from improper handling of temporary filesystem resources during the Podman build lifecycle. Specifically, the build system fails to properly discard or clean up data written to bind mounts specified with the --mount=type=bind option in RUN instructions. This results in build artifacts unexpectedly persisting in the temporary build context directory on the host system, rather than being discarded when the build layer completes.

Attack Vector

The attack vector operates through the container build process. An attacker with the ability to influence Containerfile content or access to shared build infrastructure can exploit this vulnerability to:

  1. Create files containing sensitive data during a build that persist on the host
  2. Access files left behind by other users' builds on shared build systems
  3. Exfiltrate secrets or credentials that were expected to remain contained within the ephemeral build environment

In multi-tenant or CI/CD environments, this is particularly dangerous as build context directories may be accessible to multiple users or processes, enabling cross-tenant information disclosure.

Detection Methods for CVE-2025-4953

Indicators of Compromise

  • Unexpected files appearing in Podman temporary build context directories
  • Files in /var/tmp/ or build staging areas that persist after builds complete
  • Modified timestamps on build directories that don't align with expected build activity

Detection Strategies

  • Monitor filesystem events in Podman build context directories for unexpected file creation
  • Implement file integrity monitoring on directories used for container builds
  • Audit Containerfiles for RUN --mount=type=bind usage patterns
  • Review build logs for suspicious mount operations or file creation during builds

Monitoring Recommendations

  • Enable audit logging for file operations in Podman build directories
  • Configure alerting for files persisting in temporary build contexts beyond expected timeframes
  • Implement regular scanning of build infrastructure for residual build artifacts
  • Monitor for unauthorized access attempts to build context directories

How to Mitigate CVE-2025-4953

Immediate Actions Required

  • Apply the latest Podman security updates from your distribution vendor
  • Review existing Containerfiles for RUN --mount=type=bind usage and assess exposure
  • Implement cleanup scripts to purge temporary build contexts after builds complete
  • Restrict filesystem permissions on build context directories to limit exposure

Patch Information

Red Hat has released multiple security advisories addressing this vulnerability. Organizations should apply the appropriate patches for their environment:

The fix is tracked in GitHub Podman Pull Request #25173 and additional details are available in Red Hat Bugzilla Report #2367235.

Workarounds

  • Avoid using RUN --mount=type=bind in Containerfiles until patches are applied
  • Implement automated cleanup of build context directories after each build
  • Use isolated build environments with ephemeral storage for sensitive builds
  • Restrict access to build infrastructure to minimize exposure risk
bash
# Configuration example: Cleanup script for build context directories
#!/bin/bash
# Run after podman builds to clean temporary contexts
find /var/tmp -type d -name "buildah*" -mmin +30 -exec rm -rf {} \; 2>/dev/null
find /var/tmp -type d -name "libpod*" -mmin +30 -exec rm -rf {} \; 2>/dev/null

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.