Description
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
Published: 2025-09-16
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Podman causes data written to RUN --mount=type=bind mounts during build to persist in the host's temporary build context. As a result, any files created inside the container can appear in a directory on the host and remain accessible after the build finishes. This allows an attacker who can control the build process to leak files and potentially sensitive build artifacts, exposing confidential information.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux 8, 9, and 10 as well as Red Hat OpenShift Container Platform starting with version 4.12 through 4.18. No specific version ranges are listed; any installation of Podman on the affected platforms that includes the vulnerable code is at risk.

Risk and Exploitability

With a CVSS score of 7.4 and an EPSS of less than 1 %, the exploit likelihood is low in general but the impact is significant if the build environment is compromised. The attack vector is inferred to be local or via a compromised build pipeline, where the attacker supplies a Dockerfile or runs Podman with bind mounts that create or expose files. The vulnerability is not currently listed in the CISA KEV catalog, so it may not be actively exploited in the wild yet.

Generated by OpenCVE AI on May 1, 2026 at 06:21 UTC.

Remediation

Vendor Workaround

Avoid long-running build steps and overly permissive file permissions. Use RUN --mount=type=secret for sensitive data instead of bind mounts.

OpenCVE Recommended Actions

  • Apply a patched Podman version by installing the relevant Red Hat errata updates (e.g., RHSA‑2025:15904, RHSA‑2025:16724, RHSA‑2025:16729, RHSA‑2025:17669 or the latest applicable errata).
  • Restart any services or rebuild pipelines that use Podman to ensure they are running the updated binary.
  • As an interim measure, modify Containerfiles to avoid long‑running build stages that use type=bind mounts, and replace sensitive data mounts with type=secret when possible.

Generated by OpenCVE AI on May 1, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29612 Podman Creates Temporary File with Insecure Permissions
Github GHSA Github GHSA GHSA-m68q-4hqr-mc6f Podman Creates Temporary File with Insecure Permissions
History

Thu, 15 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
References

Thu, 08 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.15::el9
References

Thu, 11 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.14::el9
References

Thu, 11 Dec 2025 05:15:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
References

Fri, 05 Dec 2025 18:45:00 +0000

Type Values Removed Values Added
References

Wed, 03 Dec 2025 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.17::el9
References

Fri, 28 Nov 2025 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.13::el8
cpe:/a:redhat:openshift:4.13::el9
References

Fri, 21 Nov 2025 06:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
References

Mon, 10 Nov 2025 14:00:00 +0000

Type Values Removed Values Added
References

Thu, 16 Oct 2025 11:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.12::el8
cpe:/a:redhat:openshift:4.12::el9
References

Wed, 08 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:rhivos:1
Vendors & Products Redhat rhivos

Wed, 01 Oct 2025 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.18::el8
cpe:/a:redhat:openshift:4.18::el9
References

Wed, 01 Oct 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.16::el8
cpe:/a:redhat:openshift:4.16::el9
References

Wed, 01 Oct 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhivos
CPEs cpe:/o:redhat:rhivos:1
Vendors & Products Redhat rhivos

Wed, 17 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 16 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Sep 2025 15:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
Title Podman: build context bind mount
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-378
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Enterprise Linux Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-23T12:00:35.591Z

Reserved: 2025-05-19T11:55:32.522Z

Link: CVE-2025-4953

cve-icon Vulnrichment

Updated: 2025-09-16T16:15:18.848Z

cve-icon NVD

Status : Deferred

Published: 2025-09-16T15:15:45.313

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4953

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-16T00:00:00Z

Links: CVE-2025-4953 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses