VYPR
← All advisories
Low severity3.7OSV Advisory· Published Jul 28, 2025· Updated May 19, 2026

CVE-2025-8283

CVE-2025-8283

Description

A vulnerability was found in the netavark package, a network stack for containers used with Podman. Due to dns.podman search domain being removed, netavark may return external servers if a valid A/AAAA record is sent as a response. When creating a container with a given name, this name will be used as the hostname for the container itself, as the podman's search domain is not added anymore the container is using the host's resolv.conf, and the DNS resolver will try to look into the search domains contained on it. If one of the domains contain a name with the same hostname as the running container, the connection will forward to unexpected external servers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Netavark vulnerability in Podman: removed dns.podman search domain may cause container DNS to resolve to external servers.

Vulnerability

Description A vulnerability in the netavark network stack for Podman containers arises from the removal of the dns.podman search domain [1][2]. When a container is created, its name serves as the hostname, and without the search domain, the container uses the host's /etc/resolv.conf for DNS resolution [2]. This can cause the DNS resolver to search domains listed in the host's configuration [1].

Exploitation

Scenario An attacker who controls a host's search domain (e.g., through compromised DNS configuration) could orchestrate DNS responses that match the container's hostname [1][2]. If the host's search domain includes a name identical to a running container's hostname, the DNS query may be answered by an external server controlled by the attacker [1][2]. No authentication is required beyond network access to the container's DNS resolver [2].

Impact

Successful exploitation could lead to container traffic being redirected to unintended external servers [1]. This may result in data exfiltration, man-in-the-middle attacks, or disruption of containerized services [2]. The CVSS v3 score is 3.7 (Low) due to the specific preconditions required [1].

Mitigation

Red Hat has acknowledged the vulnerability and recommends updating the netavark package to a patched version [1]. As a workaround, administrators should review host DNS search domain configurations to avoid conflicts with container hostnames [1][2]. The issue has been discussed in community reports [3].

References
  1. cve-details
  2. NVD - CVE-2025-8283
  3. container started with podman compose can't resolve dns names of others container in the same network

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
netavarkcrates.io
< 1.15.11.15.1

Affected products

2
  • Containers/NetavarkOSV2 versions
    v1.15.0+ 1 more
    • (no CPE)range: v1.15.0
    • (no CPE)range: <1.15.1

Patches

1
068abc869b73

Merge pull request #1256 from Luap99/revert-search

https://github.com/containers/netavarkopenshift-merge-bot[bot]May 27, 2025via ghsa
commit
4 files changed · +6 7
  • src/network/bridge.rs+6 1 modified
    @@ -17,7 +17,7 @@ use crate::{
         iptables::MAX_HASH_SIZE,
         state::{remove_fw_config, write_fw_config},
     },
-    network::{core_utils::disable_ipv6_autoconf, types},
+    network::{constants, core_utils::disable_ipv6_autoconf, types},
 };
 
 use super::{
@@ -227,6 +227,11 @@ impl driver::NetworkDriver for Bridge<'_> {
             let _ = response
                 .dns_server_ips
                 .insert(data.ipam.nameservers.clone());
+            // Note: this is being added so podman setup is backward compatible with the design
+            // which we had with dnsname/dnsmasq.
+            let _ = response
+                .dns_search_domains
+                .insert(vec![constants::PODMAN_DEFAULT_SEARCH_DOMAIN.to_string()]);
 
             let mut ipv4 = Vec::new();
             let mut ipv6 = Vec::new();
  • test/100-bridge-iptables.bats+0 2 modified
    @@ -316,8 +316,6 @@ fw_driver=iptables
 
     NETAVARK_DNS_PORT="$dns_port" run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge.json \
         setup $(get_container_netns_path)
-    config="$output"
-    assert_json "$config" ".podman1.dns_search_domains" == "[]" "empty search domains"
 
     # check iptables
     run_in_host_netns iptables -t nat -S NETAVARK-HOSTPORT-DNAT
  • test/200-bridge-firewalld.bats+0 2 modified
    @@ -162,8 +162,6 @@ function setup() {
     NETAVARK_DNS_PORT="$dns_port" \
         run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge.json \
         setup $(get_container_netns_path)
-    config="$output"
-    assert_json "$config" ".podman1.dns_search_domains" == "[]" "empty search domains"
 
     # check iptables
     # firewall-cmd --list-rich-rules does not guarantee order, use sort
  • test/250-bridge-nftables.bats+0 2 modified
    @@ -314,8 +314,6 @@ export NETAVARK_FW=nftables
 
     NETAVARK_DNS_PORT="$dns_port" run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge.json \
         setup $(get_container_netns_path)
-    config="$output"
-    assert_json "$config" ".podman1.dns_search_domains" == "[]" "empty search domains"
 
     # check nftables
     run_in_host_netns nft list chain inet netavark NETAVARK-HOSTPORT-DNAT

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.