CVE-2025-4953: Creation of Temporary File With Insecure Permissions
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
AI Analysis
Technical Summary
The vulnerability CVE-2025-4953 in Podman arises from improper handling of temporary files during container image builds using RUN --mount=type=bind mounts. Data written inside the container during the build phase is not discarded as intended, causing files created within the container to persist in the host's temporary build context directory with insecure permissions. This exposure can allow unauthorized access to sensitive data created during the build process. The issue affects Red Hat OpenShift Container Platform 4.12 and related container tools. Red Hat has released updated packages and container images to remediate this vulnerability, as detailed in their security advisories RHSA-2024:8690 and RHSA-2025:15904. Users are advised to upgrade to these fixed versions promptly.
Potential Impact
Successful exploitation of this vulnerability could lead to unauthorized disclosure of sensitive files created during container builds, impacting confidentiality and integrity of data. The CVSS score of 7.4 reflects a high severity with network attack vector, high complexity, no privileges required, no user interaction, and impact on confidentiality and integrity but not availability. There are no known exploits in the wild currently. The vulnerability affects container build environments using Podman, particularly in Red Hat OpenShift Container Platform 4.12 and container-tools modules on RHEL 8.
Mitigation Recommendations
Red Hat has released official security updates addressing CVE-2025-4953. Users of Red Hat OpenShift Container Platform 4.13 and container-tools modules on RHEL 8 should upgrade to the latest available packages and container images as per advisories RHSA-2024:8690 and RHSA-2025:15904. Instructions for upgrading clusters and applying asynchronous errata updates are available on Red Hat's documentation portals. No additional mitigation actions are required beyond applying these official fixes.
CVE-2025-4953: Creation of Temporary File With Insecure Permissions
Description
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2025-4953 in Podman arises from improper handling of temporary files during container image builds using RUN --mount=type=bind mounts. Data written inside the container during the build phase is not discarded as intended, causing files created within the container to persist in the host's temporary build context directory with insecure permissions. This exposure can allow unauthorized access to sensitive data created during the build process. The issue affects Red Hat OpenShift Container Platform 4.12 and related container tools. Red Hat has released updated packages and container images to remediate this vulnerability, as detailed in their security advisories RHSA-2024:8690 and RHSA-2025:15904. Users are advised to upgrade to these fixed versions promptly.
Potential Impact
Successful exploitation of this vulnerability could lead to unauthorized disclosure of sensitive files created during container builds, impacting confidentiality and integrity of data. The CVSS score of 7.4 reflects a high severity with network attack vector, high complexity, no privileges required, no user interaction, and impact on confidentiality and integrity but not availability. There are no known exploits in the wild currently. The vulnerability affects container build environments using Podman, particularly in Red Hat OpenShift Container Platform 4.12 and container-tools modules on RHEL 8.
Mitigation Recommendations
Red Hat has released official security updates addressing CVE-2025-4953. Users of Red Hat OpenShift Container Platform 4.13 and container-tools modules on RHEL 8 should upgrade to the latest available packages and container images as per advisories RHSA-2024:8690 and RHSA-2025:15904. Instructions for upgrading clusters and applying asynchronous errata updates are available on Red Hat's documentation portals. No additional mitigation actions are required beyond applying these official fixes.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2025-05-19T11:55:32.522Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/errata/RHSA-2024:8690","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:15904","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:16724","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:16729","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:17669","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:22265","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:22275","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:22695","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:22724","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:22732","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:23113","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:2703","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:0316","vendor":"Red Hat"},{"url":"https://access.redhat.com/security/cve/CVE-2025-4953","vendor":"Red Hat"}]
Threat ID: 68c97badd327290d6e7319d0
Added to database: 9/16/2025, 3:01:01 PM
Last enriched: 4/24/2026, 3:40:23 PM
Last updated: 5/10/2026, 1:43:36 AM
Views: 270
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.