{"id":"CVE-2025-65105","summary":"Apptainer ineffective application of selinux and apparmor --security options","details":"Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:\u003cprofile\u003e and --security=selinux:\u003clabel\u003e which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5.","aliases":["GHSA-j3rw-fx6g-q46j","GO-2025-4176"],"modified":"2026-05-01T04:30:18.984450Z","published":"2025-12-02T17:49:17.312Z","related":["GHSA-cgrx-mc8f-2prm","GHSA-j3rw-fx6g-q46j","GHSA-wwrx-w7c9-rf87","SUSE-SU-2025:4395-1","SUSE-SU-2026:0439-1","openSUSE-SU-2026:10013-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-61","CWE-706"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65105.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65105.json"},{"type":"ADVISORY","url":"https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j"},{"type":"ADVISORY","url":"https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"},{"type":"ADVISORY","url":"https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65105"},{"type":"FIX","url":"https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981"},{"type":"FIX","url":"https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2"},{"type":"FIX","url":"https://github.com/apptainer/apptainer/pull/3226"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apptainer/apptainer","events":[{"introduced":"0"},{"fixed":"3a171cf5ead2f27884de771c515efccb0a8ab4df"},{"fixed":"4313b42717e18a4add7dd7503528bc15af905981"},{"fixed":"82f17900a0c31bc769bf9b4612d271c7068d8bf2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.4.5"}]}}],"versions":["v0.1.0","v0.1.1","v1.1.0-rc.1","v1.1.0-rc.2","v1.4.0","v1.4.0-rc.1","v1.4.0-rc.2","v1.4.1","v1.4.2","v1.4.3","v1.4.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-65105.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}]}