CVE-2025-62161 is a race condition vulnerability classified under CWE-363 (Race Condition) and CWE-61 (Improper Restriction of Symbolic Links) affecting the youki container runtime, a Rust-based container runtime. In versions 0.5.6 and earlier, the initial validation of the source /dev/null device node during bind mounting is insufficient. Specifically, when youki bind mounts the container's /dev/null as a file mask, the validation process does not adequately prevent a race condition that allows an attacker to replace or follow symbolic links. This flaw can be exploited to escape the container sandbox, potentially allowing an attacker with limited privileges inside the container to gain unauthorized access to the host system or other containers. The vulnerability requires local access with some privileges (PR:L), partial authentication (AT:P), and user interaction (UI:A), but the impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H). The CVSS 4.0 score is 7.3, indicating a high severity. The vulnerability was reserved in early October 2025 and published in November 2025. No known exploits have been reported in the wild yet. The issue is resolved in youki version 0.5.7, which includes improved validation to prevent the race condition and symbolic link following during bind mounts of /dev/null. This vulnerability is critical for container environments relying on youki, as container escape can lead to full host compromise.

For European organizations, this vulnerability poses a significant risk to containerized environments using youki runtime versions below 0.5.7. Successful exploitation can lead to container escape, undermining the isolation guarantees of containerization and potentially allowing attackers to access sensitive host resources, escalate privileges, and move laterally within networks. This can compromise confidentiality of data, integrity of systems, and availability of services running in containers. Organizations running critical infrastructure, cloud services, or development pipelines with youki are particularly at risk. The requirement for local access and user interaction limits remote exploitation but insider threats or compromised containers can leverage this flaw. The high impact on all security properties means that unpatched systems could be used as a foothold for broader attacks, including ransomware or espionage campaigns targeting European enterprises. The lack of known exploits currently provides a window for proactive patching and mitigation.

European organizations should immediately upgrade all youki container runtimes to version 0.5.7 or later to eliminate the vulnerability. In addition, implement strict access controls to limit who can execute containers or access container runtimes, reducing the risk of local exploitation. Employ runtime security tools that monitor for unusual container behavior indicative of escape attempts. Use container security best practices such as dropping unnecessary capabilities, using seccomp profiles, and enforcing read-only file systems to reduce attack surface. Conduct regular audits of container configurations to ensure no symbolic link manipulations are possible. For environments where upgrading is temporarily not feasible, isolate youki containers on dedicated hosts with minimal privileges and monitor logs for suspicious activity related to /dev/null or bind mounts. Finally, educate developers and operators about the risks of race conditions and symbolic link attacks in container environments.