Researchers in the field of cybersecurity have discovered a new way to bypass the recently corrected vulnerability in NVIDIA Container Toolkit, which allows attackers to disrupt the insulation of the container and get full access to the host. The new vulnerability has been identified as CVE-2025-23359 with a CVSS score of 8.3.
The error affects the following versions of the products:
- NVIDIA Container Toolkit – all versions up to 1.17.3 (fixed in 1.17.4)
- NVIDIA GPU Operator – all versions before 24.9.1 (fixed in 24.9.2)
NVIDIA has acknowledged the issue in its official notification, stating that the problem is related to the TOCTOU (Time-of-check to time-of-use) vulnerability. In a standard configuration, attackers can exploit a specially crafted container to access the host file system, potentially leading to arbitrary code execution, privilege escalation, denial of service, and data manipulation.
Wiz, a cloud security specialist, provided additional technical details. It was revealed that CVE-2025-23359 is a bypass for a previously patched vulnerability CVE-2024-0132 (CVSS: 9.0) closed in September 2024.
During an attack, the attacker can mount the root file system of the host inside the container, gaining full access to all data and processes. Furthermore, the compromised environment enables the launching of privileged containers via UNIX sockets, resulting in complete host compromise.
Researchers Shir Tamari, Ronen Shustin, and Andres Riancho from Wiz found that the file mounting mechanism in Nvidia Container Toolkit allows the use of symbolic links. This allows attackers to manipulate paths to upload files from the host’s root directory to the container, and then utilize UNIX skills to