CVE-2025-6032 – github.com/containers/podman/v5

Package

Manager: go
Name: github.com/containers/podman/v5
Vulnerable Version: >=0 <5.5.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H

EPSS: 0.00037 pctl0.09724

Details

Podman Improper Certificate Validation; machine missing TLS verification ### Impact The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack. ### Patches https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3 Fixed in v5.5.2 ### Workarounds Download the disk image manually via some other tool that verifies the TLS connection. Then pass the local image as file path (podman machine init --image ./somepath)

Metadata

Created: 2025-06-25T21:57:00Z
Modified: 2025-07-31T00:31:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-65gg-3w2w-hr4h/GHSA-65gg-3w2w-hr4h.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-65gg-3w2w-hr4h
Finding: F163
Auto approve: 1