High severity8.3NVD Advisory· Published Jun 24, 2025· Updated Apr 15, 2026
CVE-2025-6032
CVE-2025-6032
Description
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containers/podman/v4Go | >= 4.8.0, <= 4.9.5 | — |
github.com/containers/podman/v5Go | < 5.5.2 | 5.5.2 |
Patches
1726b506acc8amachine init: fix tls check
2 files changed · +4 −4
pkg/machine/ocipull/ociartifact.go+1 −1 modified@@ -217,7 +217,7 @@ func (o *OCIArtifactDisk) getDestArtifact() (types.ImageReference, digest.Digest } fmt.Printf("Looking up Podman Machine image at %s to create VM\n", imgRef.DockerReference()) sysCtx := &types.SystemContext{ - DockerInsecureSkipTLSVerify: types.NewOptionalBool(!o.pullOptions.TLSVerify), + DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify, } imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx) if err != nil {
pkg/machine/ocipull/pull.go+3 −3 modified@@ -21,8 +21,8 @@ import ( // PullOptions includes data to alter certain knobs when pulling a source // image. type PullOptions struct { - // Require HTTPS and verify certificates when accessing the registry. - TLSVerify bool + // Skip TLS verification when accessing the registry. + SkipTLSVerify types.OptionalBool // [username[:password] to use when connecting to the registry. Credentials string // Quiet the progress bars when pushing. @@ -46,7 +46,7 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d } sysCtx := &types.SystemContext{ - DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify), + DockerInsecureSkipTLSVerify: options.SkipTLSVerify, } if options.Credentials != "" { authConf, err := parse.AuthConfig(options.Credentials)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- github.com/advisories/GHSA-65gg-3w2w-hr4hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-6032ghsaADVISORY
- access.redhat.com/errata/RHSA-2025:10295nvdWEB
- access.redhat.com/errata/RHSA-2025:10549nvdWEB
- access.redhat.com/errata/RHSA-2025:10550nvdWEB
- access.redhat.com/errata/RHSA-2025:10551nvdWEB
- access.redhat.com/errata/RHSA-2025:10668nvdWEB
- access.redhat.com/errata/RHSA-2025:11359nvdWEB
- access.redhat.com/errata/RHSA-2025:11363nvdWEB
- access.redhat.com/errata/RHSA-2025:11677nvdWEB
- access.redhat.com/errata/RHSA-2025:11681nvdWEB
- access.redhat.com/errata/RHSA-2025:15397nvdWEB
- access.redhat.com/errata/RHSA-2025:9726nvdWEB
- access.redhat.com/errata/RHSA-2025:9751nvdWEB
- access.redhat.com/errata/RHSA-2025:9766nvdWEB
- access.redhat.com/security/cve/CVE-2025-6032nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3nvdWEB
- github.com/containers/podman/security/advisories/GHSA-65gg-3w2w-hr4hnvdWEB
News mentions
0No linked articles in our index yet.