{"api_version":"1","generated_at":"2026-06-27T02:40:29+00:00","cve":"CVE-2025-4953","urls":{"html":"https://cve.report/CVE-2025-4953","api":"https://cve.report/api/cve/CVE-2025-4953.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-4953","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-4953"},"summary":{"title":"Podman: build context bind mount","description":"A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.","state":"PUBLISHED","assigner":"redhat","published_at":"2025-09-16 15:15:45","updated_at":"2026-06-25 05:16:46"},"problem_types":["CWE-378","CWE-378 Creation of Temporary File With Insecure Permissions"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Secondary","score":"7.4","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.4","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2025:22695","name":"https://access.redhat.com/errata/RHSA-2025:22695","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:0316","name":"https://access.redhat.com/errata/RHSA-2026:0316","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2367235","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2367235","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:22265","name":"https://access.redhat.com/errata/RHSA-2025:22265","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:15904","name":"https://access.redhat.com/errata/RHSA-2025:15904","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2025-4953","name":"https://access.redhat.com/security/cve/CVE-2025-4953","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:22275","name":"https://access.redhat.com/errata/RHSA-2025:22275","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:22732","name":"https://access.redhat.com/errata/RHSA-2025:22732","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:2703","name":"https://access.redhat.com/errata/RHSA-2025:2703","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:17669","name":"https://access.redhat.com/errata/RHSA-2025:17669","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:22724","name":"https://access.redhat.com/errata/RHSA-2025:22724","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:16729","name":"https://access.redhat.com/errata/RHSA-2025:16729","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:23113","name":"https://access.redhat.com/errata/RHSA-2025:23113","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2024:8690","name":"https://access.redhat.com/errata/RHSA-2024:8690","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/containers/podman/pull/25173","name":"https://github.com/containers/podman/pull/25173","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:16724","name":"https://access.redhat.com/errata/RHSA-2025:16724","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-4953","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4953","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","version":"unaffected 8100020250911075811.afee755d * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.12","version":"unaffected 3:4.2.0-15.rhaos4.12.el9 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.12","version":"unaffected 412.86.202601061735-0 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 1:1.29.1-5.rhaos4.13.el9 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 3:2.1.7-5.rhaos4.13.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 1:1.4.0-5.rhaos4.13.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:1.26.5-26.rhaos4.13.giteb3d487.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:1.26.0-7.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:2.2.24-5.rhaos4.13.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:2.15.0-10.rhaos4.13.el9 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:4.13.0-202410181847.p0.g53fd427.assembly.stream.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:4.13.0-202410181847.p0.gd2acdd5.assembly.stream.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:4.13.0-202410181847.p0.g1397e80.assembly.stream.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:4.13.0-202410181847.p0.gd192e90.assembly.stream.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:4.13.0-202410181847.p0.g36754b7.assembly.stream.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 3:4.4.1-15.rhaos4.13.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 4:1.1.14-2.rhaos4.13.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 2:1.11.3-4.rhaos4.13.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 1:1.29.5-1.rhaos4.13.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:5.14.0-284.109.1.el9_2 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 0:5.14.0-284.109.1.rt14.394.el9_2 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 3:4.4.1-16.rhaos4.13.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.13","version":"unaffected 413.92.202511261311-0 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.14","version":"unaffected 414.92.202512031525-0 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.15","version":"unaffected 415.92.202512100122-0 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.16","version":"unaffected 4:4.9.4-16.rhaos4.16.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.16","version":"unaffected 416.94.202512030118-0 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.17","version":"unaffected 417.94.202511260612-0 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.18","version":"unaffected 5:5.2.2-2.rhaos4.18.el8 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.18","version":"unaffected 418.94.202512022246-0 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat In-Vehicle Operating System 1","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2025-05-19T11:46:53.335Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2025-09-16T00:00:00.000Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Avoid long-running build steps and overly permissive file permissions. Use RUN --mount=type=secret for sensitive data instead of bind mounts.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"4953","cve":"CVE-2025-4953","epss":"0.005960000","percentile":"0.440010000","score_date":"2026-06-26","updated_at":"2026-06-27 00:07:46"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-4953","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2025-09-16T16:15:17.109594Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2025-09-16T16:15:21.591Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://github.com/containers/podman/","defaultStatus":"unknown","packageName":"podman","versions":[{"changes":[{"at":"50295e5e5d1a4583d26d5c6d5c0608cff498cc8d","status":"unaffected"}],"lessThan":"*","status":"affected","version":"0","versionType":"git"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux:8::appstream"],"defaultStatus":"affected","packageName":"container-tools:rhel8","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"8100020250911075811.afee755d","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.12::el8","cpe:/a:redhat:openshift:4.12::el9"],"defaultStatus":"affected","packageName":"podman","product":"Red Hat OpenShift Container Platform 4.12","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"3:4.2.0-15.rhaos4.12.el9","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.12::el8"],"defaultStatus":"affected","packageName":"rhcos","product":"Red Hat OpenShift Container Platform 4.12","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"412.86.202601061735-0","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"buildah","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1:1.29.1-5.rhaos4.13.el9","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"conmon","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"3:2.1.7-5.rhaos4.13.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"containernetworking-plugins","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1:1.4.0-5.rhaos4.13.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"cri-o","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:1.26.5-26.rhaos4.13.giteb3d487.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"cri-tools","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:1.26.0-7.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"haproxy","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:2.2.24-5.rhaos4.13.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"ignition","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:2.15.0-10.rhaos4.13.el9","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"openshift","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:4.13.0-202410181847.p0.g53fd427.assembly.stream.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"openshift4-aws-iso","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:4.13.0-202410181847.p0.gd2acdd5.assembly.stream.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"openshift-ansible","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:4.13.0-202410181847.p0.g1397e80.assembly.stream.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"openshift-clients","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:4.13.0-202410181847.p0.gd192e90.assembly.stream.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"openshift-kuryr","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:4.13.0-202410181847.p0.g36754b7.assembly.stream.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"podman","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"3:4.4.1-15.rhaos4.13.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"runc","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"4:1.1.14-2.rhaos4.13.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"skopeo","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"2:1.11.3-4.rhaos4.13.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"buildah","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1:1.29.5-1.rhaos4.13.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"kernel","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:5.14.0-284.109.1.el9_2","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"kernel-rt","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:5.14.0-284.109.1.rt14.394.el9_2","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el8","cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"podman","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"3:4.4.1-16.rhaos4.13.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","packageName":"rhcos","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"413.92.202511261311-0","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.14::el9"],"defaultStatus":"affected","packageName":"rhcos","product":"Red Hat OpenShift Container Platform 4.14","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"414.92.202512031525-0","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.15::el9"],"defaultStatus":"affected","packageName":"rhcos","product":"Red Hat OpenShift Container Platform 4.15","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"415.92.202512100122-0","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.16::el8","cpe:/a:redhat:openshift:4.16::el9"],"defaultStatus":"affected","packageName":"podman","product":"Red Hat OpenShift Container Platform 4.16","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"4:4.9.4-16.rhaos4.16.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.16::el9"],"defaultStatus":"affected","packageName":"rhcos","product":"Red Hat OpenShift Container Platform 4.16","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"416.94.202512030118-0","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.17::el9"],"defaultStatus":"affected","packageName":"rhcos","product":"Red Hat OpenShift Container Platform 4.17","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"417.94.202511260612-0","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.18::el8","cpe:/a:redhat:openshift:4.18::el9"],"defaultStatus":"affected","packageName":"podman","product":"Red Hat OpenShift Container Platform 4.18","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"5:5.2.2-2.rhaos4.18.el8","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4.18::el9"],"defaultStatus":"affected","packageName":"rhcos","product":"Red Hat OpenShift Container Platform 4.18","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"418.94.202512022246-0","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"unaffected","packageName":"podman","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","packageName":"podman","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:rhivos:1"],"defaultStatus":"unaffected","packageName":"podman","product":"Red Hat In-Vehicle Operating System 1","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"affected","packageName":"rhcos","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"}],"datePublic":"2025-09-16T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Moderate"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-378","description":"Creation of Temporary File With Insecure Permissions","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-25T04:54:04.155Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"name":"RHSA-2024:8690","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2024:8690"},{"name":"RHSA-2025:15904","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:15904"},{"name":"RHSA-2025:16724","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:16724"},{"name":"RHSA-2025:16729","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:16729"},{"name":"RHSA-2025:17669","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:17669"},{"name":"RHSA-2025:22265","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:22265"},{"name":"RHSA-2025:22275","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:22275"},{"name":"RHSA-2025:22695","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:22695"},{"name":"RHSA-2025:22724","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:22724"},{"name":"RHSA-2025:22732","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:22732"},{"name":"RHSA-2025:23113","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:23113"},{"name":"RHSA-2025:2703","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:2703"},{"name":"RHSA-2026:0316","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:0316"},{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2025-4953"},{"name":"RHBZ#2367235","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2367235"},{"url":"https://github.com/containers/podman/pull/25173"}],"timeline":[{"lang":"en","time":"2025-05-19T11:46:53.335Z","value":"Reported to Red Hat."},{"lang":"en","time":"2025-09-16T00:00:00.000Z","value":"Made public."}],"title":"Podman: build context bind mount","workarounds":[{"lang":"en","value":"Avoid long-running build steps and overly permissive file permissions. Use RUN --mount=type=secret for sensitive data instead of bind mounts."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-378: Creation of Temporary File With Insecure Permissions"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2025-4953","datePublished":"2025-09-16T14:54:50.045Z","dateReserved":"2025-05-19T11:55:32.522Z","dateUpdated":"2026-06-25T04:54:04.155Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-09-16 15:15:45","lastModifiedDate":"2026-06-25 05:16:46","problem_types":["CWE-378","CWE-378 Creation of Temporary File With Insecure Permissions"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-09-16T16:15:17.109594Z","id":"CVE-2025-4953","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"4953","Ordinal":"1","Title":"Podman: build context bind mount","CVE":"CVE-2025-4953","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"4953","Ordinal":"1","NoteData":"A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.","Type":"Description","Title":"Podman: build context bind mount"}]}}}