CVE-2025-53880 is a path traversal vulnerability categorized under CWE-35, found in the SUSE container image suse/manager/4.3/proxy-httpd:latest. The issue resides in the tftpsync/add and tftpsync/delete scripts, which handle file synchronization operations. These scripts do not properly sanitize input paths, allowing an attacker on an adjacent network segment to traverse directories and write or delete arbitrary files on the container's filesystem. The operations are performed with the privileges of the wwwrun user, which is an unprivileged user but still capable of modifying files within the container environment. The endpoint exposing these scripts does not require authentication, increasing the risk, although access is limited to a predefined list of allowed IP addresses, reducing the attack surface. The vulnerability has a CVSS 4.0 score of 8.7, reflecting high severity due to the ease of exploitation (no authentication or user interaction required), the impact on confidentiality, integrity, and availability, and the scope limited to adjacent network attackers. No patches or known exploits are currently available, but the vulnerability is publicly disclosed as of October 30, 2025. This flaw could be exploited to manipulate container files, potentially leading to container compromise or disruption of services relying on the container.

The vulnerability allows attackers to write or delete arbitrary files within the container filesystem, which can lead to unauthorized modification or removal of critical files. This compromises the integrity and availability of the containerized service. Although the wwwrun user is unprivileged, the attacker could potentially alter configuration files, inject malicious code, or disrupt service operations. Confidentiality may also be impacted if sensitive files are overwritten or deleted, or if the attacker uses the vulnerability as a foothold for further attacks within the network. The requirement for adjacent network access limits the attack vector to internal or local network threats, but in environments where network segmentation is weak, this could be exploited by lateral movement attackers. Organizations relying on this SUSE container for critical infrastructure management or proxy services may face service outages, data loss, or further compromise if the vulnerability is exploited.

1. Immediately restrict network access to the vulnerable endpoint beyond the existing IP whitelist by implementing strict network segmentation and firewall rules to limit adjacent network exposure. 2. Monitor logs and filesystem changes within the container for unusual file write or delete operations, especially targeting the tftpsync scripts. 3. Employ container runtime security tools to detect and prevent unauthorized filesystem modifications. 4. Avoid deploying the vulnerable container image in untrusted or exposed network environments until a patch is available. 5. Follow SUSE advisories closely and apply official patches or updated container images as soon as they are released. 6. Consider running the container with further reduced privileges or using container security features such as read-only filesystems or mandatory access controls to limit the impact of potential exploitation. 7. Conduct regular security assessments and penetration tests focusing on internal network threats and container security posture.