GHSA-49p4-px3h-rq49MediumCVSS 6.3

Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive

Published
June 22, 2026
Last Modified
June 22, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

When processing a build contexts or add/copy instructions, a malicious server serving a Git repository or a tar archive file can cause files outside of the build context directory to be included in the build context or copied into the build.

Patches

Fixed in Buildah 1.44 and 1.43.2.

🎯 Affected products1

  • go/github.com/containers/buildah:>= 1.38.1, < 1.43.2

🔗 References (3)