Cybersecurity researchers have uncovered a new method to bypass a recently patched vulnerability in the NVIDIA Container Toolkit, enabling attackers to break container isolation and gain full control over the host system. The newly identified flaw, CVE-2025-23359, has been assigned a CVSS severity score of 8.3.
Affected Versions:
- NVIDIA Container Toolkit – All versions prior to 1.17.3 (patched in 1.17.4)
- NVIDIA GPU Operator – All versions prior to 24.9.1 (patched in 24.9.2)
In its official security advisory, NVIDIA attributed the issue to a TOCTOU (Time-of-Check to Time-of-Use) vulnerability. Under standard configurations, an attacker can exploit a maliciously crafted container image to gain access to the host’s file system, opening avenues for arbitrary code execution, privilege escalation, denial-of-service (DoS) attacks, and data manipulation.
Wiz, a cloud security firm, disclosed additional technical details, revealing that CVE-2025-23359 serves as a workaround for a previously patched flaw, CVE-2024-0132 (CVSS: 9.0), which was addressed in September 2024.
The attack technique enables an adversary to mount the host’s root file system within the container, granting them unrestricted access to all system data and running processes. Furthermore, a compromised environment allows attackers to launch privileged containers via Unix sockets, leading to complete host takeover.
Security researchers Shir Tamari, Ronen Shustin, and Andres Riancho from Wiz discovered that the file-mounting mechanism in NVIDIA Container Toolkit improperly handles symbolic links. By manipulating file paths, an attacker can load files from the host’s root directory into the container and subsequently leverage Unix sockets to spawn new privileged containers.
While the initial attack vector grants only read access to the host’s file system, this restriction can be circumvented by executing privileged processes to achieve full control over the system. This exploitation path enables interception of network traffic, monitoring of active processes, and execution of critical operations on the host.
Users of NVIDIA Container Toolkit are strongly advised to upgrade to the latest versions and to ensure that the --no-cntlibs flag remains enabled in production environments to mitigate exploitation risks.
