VulnerableCode Package Details - pkg:rpm/redhat/podman@5:5.2.2-8.rhaos4.17?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-7y8a-8can-nba1 Aliases: CVE-2025-22871 GHSA-g9pc-8g42-g6vq	RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.	There are no reported fixed by versions.
VCID-tuub-p4f4-nqer Aliases: CVE-2025-6032 GHSA-65gg-3w2w-hr4h	Podman Improper Certificate Validation; machine missing TLS verification ### Impact The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack. ### Patches https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3 Fixed in v5.5.2 ### Workarounds Download the disk image manually via some other tool that verifies the TLS connection. Then pass the local image as file path (podman machine init --image ./somepath)	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-7y8a-8can-nba1
Aliases:
CVE-2025-22871
GHSA-g9pc-8g42-g6vq

RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

There are no reported fixed by versions.

VCID-tuub-p4f4-nqer
Aliases:
CVE-2025-6032
GHSA-65gg-3w2w-hr4h

Podman Improper Certificate Validation; machine missing TLS verification ### Impact The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack. ### Patches https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3 Fixed in v5.5.2 ### Workarounds Download the disk image manually via some other tool that verifies the TLS connection. Then pass the local image as file path (podman machine init --image ./somepath)

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-10T08:23:02.105258+00:00	RedHat Importer	Affected by	VCID-7y8a-8can-nba1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22871.json	38.1.0
2026-04-01T13:41:01.693166+00:00	RedHat Importer	Affected by	VCID-7y8a-8can-nba1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22871.json	38.0.0
2026-04-01T13:39:06.526751+00:00	RedHat Importer	Affected by	VCID-tuub-p4f4-nqer	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6032.json	38.0.0