Medium severity5.7GHSA Advisory· Published Aug 20, 2025· Updated Apr 15, 2026

CVE-2025-4437

Description

There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/cri-o/cri-oGo	<= 1.33.3	—

Affected products

Cri O/Cri OGHSA
Range: <= 1.33.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-8f93-j3fx-72f3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-4437ghsaADVISORY
access.redhat.com/security/cve/CVE-2025-4437nvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB
pkg.go.dev/vuln/GO-2025-3897ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.371
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000