Vulnerability Description
containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Containerd | 2.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80Patch
- https://github.com/containerd/containerd/releases/tag/v2.1.1Release Notes
- https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95Vendor Advisory
FAQ
What is CVE-2025-47290?
CVE-2025-47290 is a vulnerability with a CVSS score of 5.9 (MEDIUM). containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container imag...
How severe is CVE-2025-47290?
CVE-2025-47290 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-47290?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Containerd.