CVE-2025-65105

Description

Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5.

CVSS v3.1 Score

4.5

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Weakness Type (CWE)

CWE-61 CWE-61

CWE-706 CWE-706

Affected Products

Vendor	Product	Versions
lfprojects	apptainer	< 1.4.5

References

Advisories & Patches

https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981 https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2 https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j

Other References

https://github.com/apptainer/apptainer/pull/3226 https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87

Frequently Asked Questions

What is CVE-2025-65105? +

Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5. It has a CVSS v3.1 base score of 4.5 (MEDIUM).

How severe is CVE-2025-65105? +

CVE-2025-65105 has a CVSS v3.1 score of 4.5 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2025-65105? +

CVE-2025-65105 affects products from lfprojects, specifically: apptainer. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-65105? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-5223

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source …

CVE-2026-31893

Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user …

CVE-2025-29787

`zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction …

CVE-2025-57802

Airlink's Daemon interfaces with Docker and the Panel to provide secure access for controlling instances via the Panel. In version …

CVE-2025-46810

A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate …

CVE-2025-59825

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may …