Back

Critical NVIDIA Container Toolkit Vulnerability: CVE-2025-23359

August 29, 2025
4 Minutes

A security vulnerability, CVE-2025-23359, has been identified in the NVIDIA Container Toolkit. This is a bypass of the original patch for CVE-2024-0132. The vulnerability was discovered by Wiz Research.

The vulnerability, identified as CVE-2025-23359, is a bypass of a previous vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit. It involves a Time-of-Check Time-of-Use (TOCTOU) vulnerability. By manipulating file paths with a symbolic link during mount operations, an attacker can mount the host's root file system into a container, gaining unrestricted access. Although initial access is read-only, attackers can exploit Unix sockets to launch new, privileged containers, achieving full host compromise.

Conditions/Preconditions:

  • The vulnerability occurs when the NVIDIA Container Toolkit is used with its default configuration.
  • A crafted container image is required to exploit vulnerability.

Who is at risk?

  • Any AI application running the vulnerable container toolkit, whether in the cloud or on-premises, is affected.
  • Cloud Service Providers are particularly vulnerable.

Attack Vector:

  • The vulnerability is a Time-of-Check Time-of-Use (TOCTOU) issue.
  • It involves manipulating file paths during mount operations using a symbolic link. This allows mounting from outside the container (the root directory) into a path within "/usr/lib64".
  • Even though the initial access to the host file system is read-only, attackers can interact with Unix sockets to spawn new privileged containers and gain unrestricted access.

Affected Versions:

  • NVIDIA Container Toolkit: All versions up to and including 1.17.3
  • NVIDIA GPU Operator: All versions up to and including 24.9.1

Recommendations:

  • Update to the latest version of NVIDIA Container Toolkit (1.17.4) and NVIDIA GPU Operator (24.9.2).
  • Do not disable the --no-cntlibs flag in production environments.
  • Prioritize patching for VMs that are likely using the toolkit to launch container images.
  • Prioritize cases where vulnerable container hosts are using a container image from a publicly writable repository or an external source.

XYZCorp's Solution:

At XYZCorp, we understand the importance of security in your AI pipelines. That's why our vulnerability-free, signed images provide a trusted and verified source for your most critical workload.

Stay safe!

Share
Related Posts
Cyber Security

How Attackers Weaponized Trust: The Billion-Download npm Breach

The recent NPM supply chain attack was a wake-up call for the entire software industry. Hackers managed to slip malicious code into widely used open-source libraries. Within hours, those “bad blocks” were downloaded billions of times and silently built into applications around the globe.
September 11, 2025
6 Minutes
Register Now
Cyber Security

Securing the Software Supply Chain: How Distroless Containers Defend Against npm Malware Attacks

In July 2025, the npm package 'is' — downloaded over 2.8 million times per week was compromised via a phishing attack. The attackers created a fake npm domain and tricked the maintainer into giving up credentials, allowing them to upload malware-laced versions.
August 28, 2025
5 Minutes
Register Now
Cyber Security

Widespread Open Source Attack: Malicious Code Identified in npm, PyPI, and RubyGems Repositories

June 2025 has exposed a new wave of attacks on the open-source ecosystem - one that’s catching developers and organizations off guard. Over the last several weeks, security researchers have uncovered a disturbing trend: malicious packages being uploaded to popular registries like npm, PyPI, and RubyGems, with the goal of stealing credentials, draining cryptocurrency wallets, and even wiping out entire application directories.
August 28, 2025
6 Minutes
Register Now
Get in Touch
Built. Tested. Trusted.
Get in Touch
Contact
About UsHow it WorksEvents
Solutions
Enhance SCAFIPS Compliance
Connect
Contact usCareersNewsroomLegal
Awarded with
CleanStart
Copyright 2025 © CleanStart
Privacy policy
Terms & Condition