Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-65105

Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 4.5, requiring local system access to exploit but requires specific conditions to be met though user interaction is required and does not require pre-existing privileges . The vulnerability impacts limited data confidentiality, limited integrity, and limited availability for affected systems. Impacting 1 product from lfprojects organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2025, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2025-12-02T18:15:48.947

Last Modified

2025-12-05T19:08:58.887

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-61
CWE-706

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lfprojects	apptainer	< 1.4.5	Yes

References

https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981 Patch ([email protected])
https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2 Patch ([email protected])
https://github.com/apptainer/apptainer/pull/3226 Issue Tracking ([email protected])
https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j Patch, Vendor Advisory ([email protected])
https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm Not Applicable ([email protected])
https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87 Not Applicable ([email protected])

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For lfprojects's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.