CVE-2025-54867: The Rust Runtime That Blinked: Breaking Out of Youki via Symlinks

The Rust Runtime That Blinked: Breaking Out of Youki via Symlinks

Vulnerability ID: CVE-2025-54867
CVSS Score: 7.0
Published: 2025-08-14

While Rust guarantees memory safety, it cannot protect developers from logic errors. A critical vulnerability in the 'youki' container runtime allows malicious container images to trick the runtime into mounting sensitive pseudo-filesystems onto the host machine via symbolic links, effectively bypassing container isolation.

TL;DR

The 'youki' container runtime failed to validate destination paths when mounting /proc and /sys. A malicious image containing symlinks at these locations can trick the runtime into writing mounts to the host filesystem, leading to container escape.

---

⚠️ Exploit Status: POC

Technical Details

• CWE: CWE-61 (Symlink Following)
• CVSS: 7.0 (High)
• Attack Vector: Local (via Malicious Image)
• Privileges: Low (Container User)
• Impact: Container Escape / Host FS Access
• Patch: youki v0.5.5

Affected Systems

• youki container runtime < 0.5.5
• youki: < 0.5.5 (Fixed in: 0.5.5)

Code Analysis

Commit: 0d9b4f2

Fixed CVE-2025-54867: Validate proc/sys mount destinations are not symlinks

+ if fs::symlink_metadata(&dest)?.file_type().is_symlink() { return Err(...) }

Exploit Details

• Research Analysis: Standard container image symlink exploitation technique (similar to runc CVE-2023-27561)

Mitigation Strategies

• Upgrade Runtime
• Image Scanning
• Admission Control

Remediation Steps:

1. Identify nodes running youki versions < 0.5.5.
2. Drain the node to prevent new pod scheduling.
3. Upgrade the youki binary to version 0.5.5 or later.
4. Restart the container runtime service (e.g., containerd/crio).
5. Verify the version using youki --version.

References

• Youki Repository
• NVD Entry

---

Read the full report for CVE-2025-54867 on our website for more details including interactive diagrams and full exploit analysis.