CVE-2025-4437
Cri-o: large /etc/passwd file may lead to denial of service
CVSS Score
5.7
EPSS Score
0.0%
EPSS Percentile
0th
There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host.
| CWE | CWE-770 |
| Vendor | red hat |
| Product | red hat openshift container platform 4 |
| Published | Aug 20, 2025 |
| Last Updated | Nov 20, 2025 |
Stay Ahead of the Next One
Get instant alerts for red hat red hat openshift container platform 4
Be the first to know when new medium vulnerabilities affecting red hat red hat openshift container platform 4 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
Red Hat / Red Hat OpenShift Container Platform 4
All versions affected Red Hat / Red Hat OpenShift Container Platform 4
All versions affected References
Credits
Red Hat would like to thank Dongha Kim (BoB Project Team, Pirates) for reporting this issue.