CVE-2020-25039
Description
Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sylabs Singularity 3.2.0–3.6.2 uses insecure permissions on temporary directories for fakeroot/user namespace containers, allowing file disclosure and injection.
Vulnerability
Description
CVE-2020-25039 is an insecure permissions vulnerability in Sylabs Singularity versions 3.2.0 through 3.6.2. When a container is executed using the fakeroot or user namespace option, the container image is extracted to a temporary sandbox directory. Due to improper permission settings on these temporary directories, other users on the same system can access and read the contents of the image [1].
Exploitation
Method
An attacker needs only local access to the system where a vulnerable Singularity action command (run, shell, exec) is executed with either the fakeroot or user namespace flag. The temporary directory is created with permissions that are too permissive, allowing any unprivileged user to traverse and read files from the extracted container image. Furthermore, if the container image itself contains a world-writable file or directory, a local attacker can inject arbitrary content into the running container [2].
Impact
Successful exploitation can lead to disclosure of sensitive data present inside the container image, such as configuration files, secrets, or application data. In the case of a world-writable entry in the image, an attacker may also modify files within the running container, potentially altering its behavior or compromising the execution environment [1][2].
Mitigation
Sylabs addressed this issue in Singularity 3.6.3. Users are strongly advised to upgrade to this version or later. As a partial workaround, setting the TMPDIR environment variable to a directory that is only accessible to the user can reduce exposure, but this mitigation is not reliably enforceable and is not recommended as a sole defense [2]. The vulnerability is publicly documented and has been assigned a CVSS v3 score of 7.1 (HIGH).
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sylabs/singularityGo | >= 3.2.0, < 3.6.3 | 3.6.3 |
Affected products
6- Sylabs/Singularitydescription
- ghsa-coords5 versionspkg:golang/github.com/sylabs/singularitypkg:rpm/opensuse/singularity&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/singularity&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/singularity&distro=openSUSE%20Tumbleweedpkg:rpm/suse/singularity&distro=SUSE%20Package%20Hub%2015%20SP2
>= 3.2.0, < 3.6.3+ 4 more
- (no CPE)range: >= 3.2.0, < 3.6.3
- (no CPE)range: < 3.6.3-lp152.2.6.1
- (no CPE)range: < 3.6.3-lp152.2.6.1
- (no CPE)range: < 3.8.3-1.2
- (no CPE)range: < 3.6.3-bp152.2.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-w6v2-qchm-grj7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-25039ghsaADVISORY
- github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7ghsax_refsource_MISCWEB
- medium.com/sylabsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.