CVE-2025-57852 identifies a security vulnerability in Red Hat OpenShift AI version 2.16, specifically within the KServe ModelMesh container images. The root cause is the incorrect default permissions assigned to the /etc/passwd file during the container image build process, where the file is created with group-writable permissions. This misconfiguration allows any user who has command execution capability inside the container and belongs to the root group to modify the /etc/passwd file. By altering this file, an attacker can add a new user entry with any arbitrary user identifier (UID), including UID 0, which corresponds to the root user. This effectively enables privilege escalation from a non-root user to root within the container environment. The vulnerability requires that the attacker already has some level of command execution inside the container and membership in the root group, which implies a prerequisite level of access. No user interaction is necessary to exploit this flaw. The CVSS v3.1 base score is 6.4, reflecting a medium severity rating due to the high impact on confidentiality, integrity, and availability within the container, but mitigated by the requirement for high privileges and local access. There are no known exploits in the wild at the time of publication. The vulnerability highlights the importance of secure container image build practices, particularly ensuring that critical system files like /etc/passwd have restrictive permissions to prevent unauthorized modification. This issue is specific to Red Hat OpenShift AI 2.16 and the KServe ModelMesh container images, which are used in AI model serving within OpenShift environments.

The vulnerability allows an attacker with limited privileges inside a container to escalate to root privileges by modifying the /etc/passwd file due to improper file permissions. This can lead to full container compromise, enabling the attacker to execute arbitrary code as root, potentially affecting the confidentiality, integrity, and availability of applications running within the container. In multi-tenant OpenShift environments, this could facilitate lateral movement or privilege escalation to other containers or the host if additional misconfigurations exist. The impact is significant for organizations relying on Red Hat OpenShift AI 2.16 for AI model deployment and serving, as compromised containers could lead to data breaches, service disruption, or unauthorized access to sensitive AI workloads. However, the requirement for existing command execution and root group membership limits the ease of exploitation, reducing the likelihood of widespread exploitation without prior access. Still, the vulnerability poses a risk in environments where container security boundaries are critical and where attackers may already have footholds.

To mitigate this vulnerability, organizations should: 1) Apply any available patches or updates from Red Hat for OpenShift AI 2.16 and KServe ModelMesh container images as soon as they are released. 2) Review and harden container image build processes to ensure that critical system files such as /etc/passwd are created with secure, non-group-writable permissions. 3) Limit membership of the root group within containers to only trusted processes and users to reduce the risk of privilege escalation. 4) Implement strict container runtime security policies that restrict command execution capabilities and group memberships. 5) Employ container security tools to scan images for insecure file permissions and configurations before deployment. 6) Monitor container environments for unusual modifications to system files and privilege escalation attempts. 7) Consider using container security features such as SELinux, AppArmor, or seccomp profiles to limit the impact of potential exploits. 8) Educate development and operations teams on secure container image creation and privilege management best practices. These steps will reduce the attack surface and help prevent exploitation of this vulnerability.