Race Condition Enabling Link Following Affecting github.com/opencontainers/runc/libcontainer package, versions <1.2.8>=1.3.0-rc.1 <1.3.3>=1.4.0-rc.1 <1.4.0-rc.3
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMOPENCONTAINERSRUNCLIBCONTAINER-13843075
- published6 Nov 2025
- disclosed5 Nov 2025
- creditLei Wang, lfbzhm
Introduced: 5 Nov 2025
NewCVE-2025-31133 Â (opens in a new tab)How to fix?
Upgrade github.com/opencontainers/runc/libcontainer to version 1.2.8, 1.3.3, 1.4.0-rc.3 or higher.
Overview
github.com/opencontainers/runc/libcontainer is a package for a modern container runtime.
Affected versions of this package are vulnerable to Race Condition Enabling Link Following via a race condition in the maskedPaths feature. An attacker can gain unauthorized access to host files, execute arbitrary code with elevated privileges, or cause a denial of service by manipulating the /dev/null inode or replacing it with a symlink to an attacker-controlled path during container creation. This allows bind-mounting arbitrary files to path inside the container, or bypassing intended masking protections, potentially exposing sensitive host information or enabling container escape.
Note:
This is only exploitable if the attacker can influence the container's /dev/null prior to the bind-mount operation or trigger parallel container executions with shared mounts.
Workarounds
Using user namespaces for containers.
Configuring containers to avoid root privileges.
Applying restrictive AppArmor profiles.
Avoiding untrusted container images.