Portainer Bind-mount Restriction Bypass via HostConfig.Mounts (CVE-2025-44850)

Vulnerability Overview Vulnerability Name: Bind-mount restriction bypass via CVE ID: CVE-2025-44850 CVSS v3 Base Metrics: 8.5 / 10 Description: Portainer provides an environment-level "Disable Bind Mounts" security setting designed to prevent regular users from mounting host paths into containers. This setting is implemented via the Docker API proxied by Portainer, which verifies only the array while ignoring the equivalent array. Any user with container creation permissions can submit a type entry in an environment where this restriction is disabled, thereby mounting any host path into the container. Scope Affected Versions: - - - - Severity: High Impact: - Regular users can bypass bind mount restrictions, allowing them to read or write any path on the Docker host. - Other containers on the same host can be compromised. - Access to the Docker socket can be obtained, granting full access to the Docker API. - Persistence can be achieved by writing to the host, installing system units, or modifying cron jobs. Remediation Fixed Versions: - - - Workarounds: - Revoke container creation permissions for non-administrator accounts. - Audit recent container creations to check for type entries within . - Isolate tenant environments by separating workloads into distinct environments. Affected Code Timeline 2020-03-04: Reported to GitHub Security Advisory by offensiveve (Assal Afshar) 2020-03-04: Further independent reports received 2020-04-18: Fix merged into 2020-06-04: Back-merged into and 2020-04-29: Version 2.41.0 released, containing the fix 2020-05-07: Versions 2.33.8 and 2.39.2 released, containing the fix Credits offensiveve (Assal Afshar): Initial report identifying the discrepancy between container creation and Swarm service creation checks regarding bypass alexwaira: Independent report of the same bypass in container creation flubtech: Independent report of the same bypass in container creation Proscan-one: Independent report of the same bypass in container creation jeroeng: Independent report of the same bypass in container creation AyushParkara: Independent report of the same bypass in container creation marduc812: Independent report of the same bypass in container creation

Goal Reached Thanks to every supporter — we hit 100%!

Portainer Bind-mount Restriction Bypass via HostConfig.Mounts (CVE-2025-44850)

More from this source