CVE-2025-9566 is a high-severity path traversal vulnerability affecting the podman container management tool included in Red Hat Enterprise Linux 10. The flaw arises when an attacker uses the 'kube play' command with a Kubernetes file container that mounts a Secret or ConfigMap volume containing a symbolic link pointing to a host file path. Due to improper limitation of pathname resolution, the attacker can overwrite arbitrary files on the host system by leveraging the symbolic link within the volume mount. However, the attacker cannot control the content written to the target file, only the file path to be overwritten. This vulnerability was introduced in podman version 4.0.0 and fixed in version 5.6.1. The CVSS 3.1 base score is 8.1, reflecting high severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, unchanged scope, no confidentiality impact, but high impact on integrity and availability. The vulnerability allows an attacker with some level of privileges on the container host to overwrite critical host files, potentially leading to denial of service or integrity compromise of system files. Although no known exploits are currently in the wild, the vulnerability poses a significant risk in environments where podman is used to run Kubernetes workloads with mounted Secrets or ConfigMaps that include symbolic links. The improper pathname limitation allows bypassing intended container isolation boundaries, undermining the security model of containerized workloads on Red Hat Enterprise Linux 10 systems.

For European organizations, especially those leveraging containerized workloads with podman on Red Hat Enterprise Linux 10, this vulnerability could lead to serious operational disruptions. Attackers with limited privileges could overwrite critical host files, potentially causing system instability, denial of service, or enabling further privilege escalation. This risk is particularly acute in sectors with high container adoption such as finance, telecommunications, and government infrastructure. The inability to control file content limits some attack vectors, but the mere ability to overwrite files can disrupt system integrity and availability. Organizations running Kubernetes workloads with Secrets or ConfigMaps mounted as volumes containing symbolic links are at heightened risk. This vulnerability could also undermine compliance with data integrity and availability requirements under European regulations such as GDPR and NIS Directive, especially if critical infrastructure services are impacted.

1. Upgrade podman to version 5.6.1 or later where the vulnerability is fixed. 2. Audit existing Kubernetes Secret and ConfigMap volume mounts for symbolic links that point outside the container filesystem and remove or replace them. 3. Implement strict container runtime security policies that restrict volume mounts containing symbolic links or untrusted content. 4. Employ file integrity monitoring on host systems to detect unauthorized file overwrites. 5. Limit privileges of users and processes that can invoke 'kube play' commands or manage podman containers to reduce attack surface. 6. Use container security tools to scan for misconfigurations and enforce best practices regarding volume mounts. 7. Monitor logs for suspicious podman activity related to volume mounts and file modifications. 8. Consider network segmentation and host-based intrusion detection to detect and contain exploitation attempts early.