CVE-2025-58712 identifies a container privilege escalation vulnerability in certain Apache ActiveMQ Artemis broker container images. The root cause is the /etc/passwd file being created with group-writable permissions during the container image build process. This misconfiguration allows any user who can execute commands inside the container and who is a member of the root group to modify the /etc/passwd file. By altering this file, an attacker can add new user entries with arbitrary user IDs, including UID 0, effectively granting themselves root-level privileges within the container environment. This escalation of privileges can enable attackers to bypass container isolation and potentially compromise containerized applications or pivot to other parts of the host environment if container escape vulnerabilities exist. The vulnerability requires the attacker to have command execution capabilities inside the container and membership in the root group, which limits the ease of exploitation but still poses a significant risk in multi-tenant or shared container environments. The CVSS v3.1 base score is 6.4, reflecting medium severity due to the high impact on confidentiality, integrity, and availability within the container, but with a higher attack complexity and required privileges. No patches or exploits are currently publicly known, but the issue was published on October 22, 2025, and users should monitor for updates from Apache and their container image providers.

This vulnerability allows an attacker with limited privileges inside an affected container to escalate to root privileges by modifying the /etc/passwd file. The impact includes full compromise of the container environment, enabling unauthorized access to sensitive data, modification or deletion of files, and disruption of containerized services. In environments where containers share resources or are orchestrated in clusters, this could lead to lateral movement or further compromise if combined with other vulnerabilities. Organizations relying on Apache ActiveMQ Artemis containers for messaging infrastructure may face service disruptions, data breaches, or unauthorized control over messaging workflows. The requirement for existing command execution and root group membership reduces the risk somewhat but does not eliminate it, especially in complex deployments with multiple users or automated processes running with elevated group privileges.

1. Immediately audit and restrict group permissions on critical system files such as /etc/passwd within container images to ensure they are not group-writable. 2. Rebuild affected Apache ActiveMQ Artemis container images with corrected file permissions, removing group write access from /etc/passwd and other sensitive files. 3. Limit container user group memberships, avoiding inclusion of non-root users in privileged groups like root. 4. Implement strict container runtime security policies that prevent privilege escalation, such as using seccomp, AppArmor, or SELinux profiles tailored to restrict file modifications. 5. Monitor container environments for unexpected modifications to /etc/passwd or suspicious user additions. 6. Apply the latest security patches and updates from Apache and container image maintainers as they become available. 7. Consider running containers with minimal privileges and using user namespaces to isolate container user IDs from the host. 8. Employ container image scanning tools to detect insecure file permissions during the build and deployment pipeline.