VYPR
High severityOSV Advisory· Published Sep 12, 2025· Updated Apr 15, 2026

CVE-2025-59054

CVE-2025-59054

Description

dstack is a software development kit (SDK) to simplify the deployment of arbitrary containerized apps into trusted execution environments. In versions of dstack prior to 0.5.4, a malicious host may provide a crafted LUKS2 data volume to a dstack CVM for use as the /data mount. The guest will open the volume and write secret data using a volume key known to the attacker, causing disclosure of Wireguard keys and other secret information. The attacker can also pre-load data on the device, which could potentially compromise guest execution. LUKS2 volume metadata is not authenticated and supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume opens (cryptsetup open) without error using any passphrase or token, records all writes in plaintext (or ciphertext with an attacker-known key), and/or contains arbitrary data chosen by the attacker. Version 0.5.4 of dstack contains a patch that addresses LUKS headers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Dstack Tee/DstackOSV2 versions
    gateway-v0.5.3, kms-v0.5.3, kms-v0.5.4, …+ 1 more
    • (no CPE)range: gateway-v0.5.3, kms-v0.5.3, kms-v0.5.4, …
    • (no CPE)range: <0.5.4

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.