CVE-2025-9566 is a path traversal vulnerability affecting the podman container runtime in Red Hat Enterprise Linux 10. The flaw arises when the 'kube play' command processes Kubernetes Secret or ConfigMap volume mounts that include symbolic links pointing to host file system paths. An attacker leveraging this can cause podman to overwrite arbitrary files on the host system by manipulating the volume mount to redirect writes through the symbolic link. Although the attacker cannot control the data written to the target file, controlling which file is overwritten can disrupt system integrity and availability, potentially damaging critical configuration or system files. The vulnerability was introduced in podman version 4.0.0 and fixed in version 5.6.1. It requires the attacker to have low-level privileges (PR:L) and network access (AV:N), but no user interaction is needed. The CVSS v3.1 score is 8.1, reflecting high impact on integrity and availability with low attack complexity. No known exploits have been reported in the wild yet. This vulnerability is significant in environments where podman is used to manage Kubernetes workloads, especially when Secrets or ConfigMaps are mounted as volumes containing symbolic links, a scenario common in containerized deployments.

For European organizations, the impact of CVE-2025-9566 can be substantial, particularly for enterprises relying on Red Hat Enterprise Linux 10 and podman for container orchestration and Kubernetes deployments. Successful exploitation can lead to arbitrary overwriting of host files, potentially corrupting system configurations, security policies, or critical application data, resulting in service disruption or system compromise. This undermines system integrity and availability, which are critical for sectors such as finance, healthcare, and government services prevalent in Europe. Additionally, the inability to control the content written limits the attacker's capabilities but does not eliminate the risk of denial-of-service or operational disruption. Organizations using containerized environments with Secrets or ConfigMaps mounted as volumes are at higher risk. The vulnerability could also be leveraged as part of a multi-stage attack to escalate privileges or persist within a system. Given the widespread adoption of Red Hat Enterprise Linux in European enterprises and public sector infrastructure, the threat is relevant and demands prompt remediation.

European organizations should immediately upgrade podman to version 5.6.1 or later where the vulnerability is patched. Until patching is possible, restrict access to the 'kube play' command and limit the use of symbolic links within Secret or ConfigMap volume mounts. Implement strict validation and sanitization of volume mount configurations to prevent symbolic link exploitation. Employ container security best practices such as running containers with the least privilege, using SELinux or AppArmor profiles to restrict podman’s file system access, and monitoring file system integrity for unauthorized changes. Network segmentation and access controls should be enforced to limit exposure of podman services to untrusted networks. Regularly audit container configurations and volume mounts for suspicious symbolic links. Additionally, integrate vulnerability scanning and compliance checks into CI/CD pipelines to detect vulnerable podman versions and risky configurations before deployment.