CVE-2025-31133

Published Nov 6, 2025

Last updated 3 months ago

CVSS high 7.3
Container Security

Overview

Description
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
Source
security-advisories@github.com
NVD status
Analyzed
Products
runc

Risk scores

CVSS 4.0

Type
Secondary
Base score
7.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
7.8
Impact score
6
Exploitability score
1.1
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-61

Social media

Hype score
Not currently trending

  1. What do CVE-2025-31133, 52565, and 52881 reveal about runc's hidden pitfalls? Could a single exploit erode container trust? Dive deep into AWS security bulletin and question what guards you need. https://t.co/8t83eezeBc #aws #security

    @TechBlitzHQ

    29 Jan 2026

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. #VulnerabilityReport #containerescape OCI Fixes Container Escape Vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) https://t.co/MSgAVO9Dle

    @Komodosec

    13 Dec 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Thrilled! My @CloudNativeFdn blog on runc breakout vulns (CVE-2025-31133 etc.) is live. Honored to advocate for cloud native security.​ https://t.co/5aPnB1thRm #CloudNative #Kubernetes

    @IamMatteoBisi

    28 Nov 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. SIOSセキュリティブログを更新しました。 runcの脆弱性(Important: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) #sios_tech #security #セキュリティ https://t.co/XvdeohK0hz

    @omokazuki

    17 Nov 2025

    75 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. runcの脆弱性(Important: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) #sios_tech #security #セキュリティ https://t.co/XvdeohK0hz

    @omokazuki

    16 Nov 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. AWSは、runcコンテナに関する重要なセキュリティ問題(CVE-2025-31133、CVE-2025-52565、CVE-2025-52881)を発表しました。注意が必要です。詳細を確認し、適切な対策を講じましょう。 #AWS #セキュリティ https://t.co/ODVmPAHcp

    @OCGOT1616

    11 Nov 2025

    104 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Runc vulnerabilities CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 allow container escape and root access on hosts running Kubernetes and Docker. Patches are available but risks remain with untrusted images. #ContainerSecurity #KubernetesRisk https://t.co/r2svfOK2hp

    @TweetThreatNews

    10 Nov 2025

    37 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 先日発表されたrunc関連のCVEに対するRed Hat製品の修正です。 CVE-2025-31133: https://t.co/ljWeQvJ2L0 CVE-2025-52565: https://t.co/v5ZyUlnKyz CVE-2025-52881: https://t.co/xK6B78zJr5

    @orimanabu

    10 Nov 2025

    83 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. ⚠️ New: Three runC flaws (CVE-2025-31133 / 52565 / 52881) let an attacker abusing symlinks/mounts escape Docker/K8s containers and write to /proc. Fixes available in runC 1.2.8, 1.3.3, 1.4.0-rc.3+. Quick steps: patch runC, use rootless/user-ns containers, monitor symlink htt

    @TechNadu

    10 Nov 2025

    116 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    2 Replies

    0 Quotes

  10. 『新たな runc の脆弱性によりコンテナからのエスケープが可能に:CVE-2025-31133、CVE-2025-52565、CVE-2025-52881』 2025年11月5日、SUSE のリサーチャーが 3 つの脆弱性を明らかにしました。 https://t.co/nXa9XLaocc #脆弱性 #CV

    @TakaoShimizu1

    10 Nov 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. oss-sec: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 https://t.co/5NjEXUU2H4

    @akaclandestine

    9 Nov 2025

    854 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  12. #Kubernetes: Newly disclosed #vulnerabilities in the #runC container runtime used in #Docker & Kubernetes (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) could be exploited to bypass isolation restrictions & get access to the host system (escape): #k8s https://t.co/uS

    @securestep9

    9 Nov 2025

    307 Impressions

    1 Retweet

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. New runc vulnerabilities allow container escape: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 https://t.co/VVqkawy1LD

    @jreuben1

    8 Nov 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. AWS released new Amazon Machine Images AMIs for Amazon ECS, AWS Elastic Beanstalk, Bottlerocket on November 5, 2025, to address critical runc security vulnerabilities CVE-2025-31133, CVE-2025-52565, CVE-2025-52881. Customers are strongly recommended to update to versions to fix.

    @ismailriyaz999

    8 Nov 2025

    62 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. How to Detect and Hunt the runc Container Escape Flaws (IOCs & Detection Rules for CVE-2025-31133) Read the full report on - https://t.co/QzQXrdHyHe https://t.co/A7CTF7F4D3

    @cyberbivash

    7 Nov 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. runc: Container escapes via procfs writes https://t.co/pDDvCWQtsL CVE-2025-31133: via masked path abuse due to mount race conditions CVE-2025-52565: with malicious config due to /dev/console mount and related races CVE-2025-52881: and DoS due to arbitrary write gadgets and procfs

    @oss_security

    7 Nov 2025

    1070 Impressions

    2 Retweets

    6 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  17. runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 https://t.co/EF1sO5kbd0

    @ytroncal

    5 Nov 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 3 new container breakouts in runc CVE-2025-31133 CVE-2025-52565 CVE-2025-52881 - containers don't contain! containers are a security dumpsterfire https://t.co/OLegTlKCXx

    @nanovms

    5 Nov 2025

    303 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2025-15566
  2. A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.CVE-2026-24513
  3. A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory.CVE-2026-24514
  4. A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2026-1580
  5. A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2026-24512

References

Sources include official advisories and independent security research.