CVE-2025-47290

Description

### Impact A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. ### Patches This bug has been fixed in the following containerd versions: * 2.1.1 The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. Users should update to this version to resolve the issue. ### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ### Credits The containerd project would like to thank Tõnis Tiigi for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md). ### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47290 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [[email protected]](mailto:[email protected]) To report a security issue in containerd: * [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new) * Email us at [[email protected]](mailto:[email protected])

Affected packages (2)

• Go/github.com/containerd/containerd/v2>= 2.1.0, < 2.1.1
• Go/github.com/containerd/containerd/v2>= 2.1.0, < 2.1.1

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-47290
• PATCHhttps://github.com/containerd/containerd
• WEBhttps://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc
• WEBhttps://github.com/containerd/containerd/releases/tag/v2.1.1
• WEBhttps://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95