🚀 Enhancements
fix: Upgrade containerd to v2.1.5 to address CVE-2024-25621 and CVE-2025-64329 @osterman (#1770)
## SummaryUpgrades github.com/containerd/containerd/v2 from v2.1.4 to v2.1.5 to address two security vulnerabilities.
Security Fixes
CVE-2024-25621 (High Severity)
Local privilege escalation via wide permissions on CRI directory
- Impact: Directory permissions were overly broad, allowing local users to access sensitive data
/var/lib/containerdcreated with 0o711 instead of 0o700/run/containerd/io.containerd.grpc.v1.cricreated with 0o755 instead of 0o700/run/containerd/io.containerd.sandbox.controller.v1.shimcreated with 0o711 instead of 0o700
- Risk: Local users could access metadata store, content store, and Kubernetes local volumes
- Fix: v2.1.5 automatically updates existing directory permissions on upgrade
CVE-2025-64329 (Moderate Severity)
Host memory exhaustion through Attach goroutine leak
- Impact: Repetitive CRI Attach calls (e.g.,
kubectl attach) could leak goroutines - Risk: Memory exhaustion on the host over time
- Fix: Proper goroutine cleanup in CRI Attach implementation
Changes
- Upgraded
github.com/containerd/containerd/v2from v2.1.4 to v2.1.5 - Updated go.mod and go.sum
Testing
- ✅
make build- Build successful - ✅
make test-short- Tests pass (pre-existing failures unrelated to this change)
References
- Dependabot Alert #128: https://github.com/cloudposse/atmos/security/dependabot/128
- Dependabot Alert #129: https://github.com/cloudposse/atmos/security/dependabot/129
- CVE-2024-25621: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25621
- CVE-2025-64329: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329
- containerd v2.1.5 release: https://github.com/containerd/containerd/releases/tag/v2.1.5
🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com
Summary by CodeRabbit
- Chores
- Updated containerd dependency to version 2.1.5
🐛 Bug Fixes
fix: Upgrade containerd to v2.1.5 to address CVE-2024-25621 and CVE-2025-64329 @osterman (#1770)
## SummaryUpgrades github.com/containerd/containerd/v2 from v2.1.4 to v2.1.5 to address two security vulnerabilities.
Security Fixes
CVE-2024-25621 (High Severity)
Local privilege escalation via wide permissions on CRI directory
- Impact: Directory permissions were overly broad, allowing local users to access sensitive data
/var/lib/containerdcreated with 0o711 instead of 0o700/run/containerd/io.containerd.grpc.v1.cricreated with 0o755 instead of 0o700/run/containerd/io.containerd.sandbox.controller.v1.shimcreated with 0o711 instead of 0o700
- Risk: Local users could access metadata store, content store, and Kubernetes local volumes
- Fix: v2.1.5 automatically updates existing directory permissions on upgrade
CVE-2025-64329 (Moderate Severity)
Host memory exhaustion through Attach goroutine leak
- Impact: Repetitive CRI Attach calls (e.g.,
kubectl attach) could leak goroutines - Risk: Memory exhaustion on the host over time
- Fix: Proper goroutine cleanup in CRI Attach implementation
Changes
- Upgraded
github.com/containerd/containerd/v2from v2.1.4 to v2.1.5 - Updated go.mod and go.sum
Testing
- ✅
make build- Build successful - ✅
make test-short- Tests pass (pre-existing failures unrelated to this change)
References
- Dependabot Alert #128: https://github.com/cloudposse/atmos/security/dependabot/128
- Dependabot Alert #129: https://github.com/cloudposse/atmos/security/dependabot/129
- CVE-2024-25621: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25621
- CVE-2025-64329: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329
- containerd v2.1.5 release: https://github.com/containerd/containerd/releases/tag/v2.1.5
🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com
Summary by CodeRabbit
- Chores
- Updated containerd dependency to version 2.1.5