{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/88270?format=json","vulnerability_id":"VCID-x1st-qrcw-s7hm","summary":"Youki is a container runtime written in Rust. Prior to version 0.5.5, if /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. This issue has been patched in version 0.5.5.","aliases":[{"alias":"CVE-2025-54867"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://github.com/youki-dev/youki/commit/0d9b4f2aa5ceaf988f3eb568711d2acf0a4ace37","reference_id":"0d9b4f2aa5ceaf988f3eb568711d2acf0a4ace37","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-14T18:43:03Z/"}],"url":"https://github.com/youki-dev/youki/commit/0d9b4f2aa5ceaf988f3eb568711d2acf0a4ace37"},{"reference_url":"https://github.com/youki-dev/youki/security/advisories/GHSA-j26p-6wx7-f3pw","reference_id":"GHSA-j26p-6wx7-f3pw","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-14T18:43:03Z/"}],"url":"https://github.com/youki-dev/youki/security/advisories/GHSA-j26p-6wx7-f3pw"},{"reference_url":"https://github.com/youki-dev/youki/releases/tag/v0.5.5","reference_id":"v0.5.5","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-14T18:43:03Z/"}],"url":"https://github.com/youki-dev/youki/releases/tag/v0.5.5"}],"weaknesses":[{"cwe_id":61,"name":"UNIX Symbolic Link (Symlink) Following","description":"The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files."}],"exploits":[],"severity_range_score":"7.0 - 7.0","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x1st-qrcw-s7hm"}