Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target. This issue is fixed in version 0.5.7.
References
| Link | Resource |
|---|---|
| https://github.com/youki-dev/youki/commit/5886c91073b9be748bd8d5aed49c4a820548030a | Patch |
| https://github.com/youki-dev/youki/security/advisories/GHSA-vf95-55w6-qmrf | Vendor Advisory |
| https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs | Not Applicable |
| https://youtu.be/tGseJW_uBB8 | Not Applicable |
| https://youtu.be/y1PaBzxwRWQ | Not Applicable |
Configurations
History
10 Nov 2025, 17:58
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:youki-dev:youki:*:*:*:*:*:rust:*:* | |
| First Time |
Youki-dev
Youki-dev youki |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 10.0 |
| References | () https://github.com/youki-dev/youki/commit/5886c91073b9be748bd8d5aed49c4a820548030a - Patch | |
| References | () https://github.com/youki-dev/youki/security/advisories/GHSA-vf95-55w6-qmrf - Vendor Advisory | |
| References | () https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs - Not Applicable | |
| References | () https://youtu.be/tGseJW_uBB8 - Not Applicable | |
| References | () https://youtu.be/y1PaBzxwRWQ - Not Applicable |
06 Nov 2025, 00:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-06 00:15
Updated : 2025-11-10 17:58
NVD link : CVE-2025-62596
Mitre link : CVE-2025-62596
CVE.ORG link : CVE-2025-62596
JSON object : View
Products Affected
youki-dev
- youki