CVE-2025-57850 is a container privilege escalation vulnerability identified in certain Red Hat OpenShift Dev Spaces images, specifically within CodeReady Workspaces. The root cause is the /etc/passwd file being created with group-writable permissions during the container image build process. This misconfiguration allows any user who has command execution rights inside the container and is a member of the root group to modify the /etc/passwd file. By doing so, the attacker can add a new user entry with an arbitrary user identifier (UID), including UID 0, which corresponds to the root user. This effectively grants the attacker full root privileges within the container environment. The vulnerability requires a high level of privileges initially (membership in the root group) and local access to the container, but no user interaction is necessary. The CVSS v3.1 score is 5.2 (medium), reflecting the limited attack vector (local) and the requirement for high privileges to exploit. The impact includes potential unauthorized container root access, which could lead to container compromise, lateral movement within containerized environments, and undermining of container isolation. However, this vulnerability does not directly escalate privileges on the host operating system. No public exploits or active exploitation have been reported to date. The issue highlights the importance of secure container image build practices and strict permission settings on critical system files within containers.

For European organizations utilizing Red Hat OpenShift Dev Spaces, this vulnerability poses a risk primarily to container security and integrity. If exploited, attackers with limited privileges inside a container could escalate to root within that container, potentially allowing them to manipulate containerized applications, access sensitive data, or disrupt services. While the vulnerability does not directly compromise the host system, compromised containers can be used as footholds for further attacks, including lateral movement or privilege escalation if other vulnerabilities exist. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) could face compliance and operational risks if container environments are compromised. Additionally, development and CI/CD pipelines relying on these container images may be affected, leading to potential supply chain risks. The medium severity rating indicates a moderate but non-trivial threat that requires timely attention to prevent exploitation.

1. Immediately review and update the build process for CodeReady Workspaces container images to ensure /etc/passwd and other critical system files are created with secure, non-group-writable permissions. 2. Apply any patches or updates provided by Red Hat addressing this vulnerability as soon as they become available. 3. Restrict root group membership within containers to the minimum necessary users and services to reduce the attack surface. 4. Implement container runtime security policies that enforce file permission checks and prevent unauthorized modifications to critical files. 5. Use container image scanning tools to detect insecure file permissions and configuration issues before deployment. 6. Employ least privilege principles in container user and group assignments to limit potential privilege escalation paths. 7. Monitor container logs and audit trails for suspicious activities related to /etc/passwd modifications or unexpected user additions. 8. Consider isolating sensitive workloads in separate namespaces or clusters to limit the impact of container compromises. 9. Educate development and operations teams about secure container image creation and the risks of improper file permissions. 10. Regularly review and update container security policies in alignment with Red Hat’s security advisories and best practices.