A security vulnerability, CVE-2025-23359, has been identified in the NVIDIA Container Toolkit. This is a bypass of the original patch for CVE-2024-0132. The vulnerability was discovered by Wiz Research. 

The vulnerability, identified as CVE-2025-23359, is a bypass of a previous vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit. It involves a Time-of-Check Time-of-Use (TOCTOU) vulnerability. By manipulating file paths with a symbolic link during mount operations, an attacker can mount the host's root file system into a container, gaining unrestricted access. Although initial access is read-only, attackers can exploit Unix sockets to launch new, privileged containers, achieving full host compromise. 

Conditions/Preconditions: 

  • The vulnerability occurs when the NVIDIA Container Toolkit is used with its default configuration. 
  • A crafted container image is required to exploit vulnerability. 

Who is at risk? 

  • Any AI application running the vulnerable container toolkit, whether in the cloud or on-premises, is affected. 
  • Cloud Service Providers are particularly vulnerable. 

Attack Vector: 

  • The vulnerability is a Time-of-Check Time-of-Use (TOCTOU) issue. 
  • It involves manipulating file paths during mount operations using a symbolic link. This allows mounting from outside the container (the root directory) into a path within "/usr/lib64". 
  • Even though the initial access to the host file system is read-only, attackers can interact with Unix sockets to spawn new privileged containers and gain unrestricted access. 

Affected Versions: 

  • NVIDIA Container Toolkit: All versions up to and including 1.17.3 
  • NVIDIA GPU Operator: All versions up to and including 24.9.1 

Recommendations: 

  • Update to the latest version of NVIDIA Container Toolkit (1.17.4) and NVIDIA GPU Operator (24.9.2). 
  • Do not disable the --no-cntlibs flag in production environments. 
  • Prioritize patching for VMs that are likely using the toolkit to launch container images. 
  • Prioritize cases where vulnerable container hosts are using a container image from a publicly writable repository or an external source. 

XYZCorp's Solution: 

At XYZCorp, we understand the importance of security in your AI pipelines. That's why our vulnerability-free, signed images provide a trusted and verified source for your most critical workload. 

Stay safe!