GHSA-8f93-j3fx-72f3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8f93-j3fx-72f3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-8f93-j3fx-72f3/GHSA-8f93-j3fx-72f3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8f93-j3fx-72f3
- Aliases
-
- CVE-2025-4437
- Published
- 2025-08-20T15:31:41Z
- Modified
- 2025-08-20T20:12:20.605213Z
- Severity
-
- 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- CRI-O has Potential High Memory Consumption from File Read
- Details
-
There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host.
- Database specific
{ "nvd_published_at": "2025-08-20T13:15:28Z", "severity": "MODERATE", "cwe_ids": [ "CWE-770" ], "github_reviewed_at": "2025-08-20T19:10:29Z", "github_reviewed": true }- References
Affected packages
Go / github.com/cri-o/cri-o
Package
- Name
- github.com/cri-o/cri-o
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cri-o/cri-o