We are notifying you about two recently disclosed CVEs: CVE-2025-53945 and CVE-2025-54059. These CVEs affect Chainguard container images built between June 16 and July 16, 2025.
These issues involve incorrect file permissions on /etc/ld.so.cache (CVE-2025-53945) and APK package SBOMs (CVE-2025-54059). While we have no evidence of active exploitation, one of the CVEs may enable privilege escalation within the container under certain conditions. Out of an abundance of caution, we strongly recommend updating to the latest version.
We have filed CVEs, released security fixes, and rebuilt affected images and packages.
To verify if you’re impacted, you can check the file permissions of your container images from outside of the container using this example (for python:latest) with the crane tool:
Affected
$ crane export cgr.dev/chainguard/python:latest | tar tv | grep etc/ld.so.cache
-rw-rw-rw- root/root 3712 1970-01-01 00:00 etc/ld.so.cache
An unaffected image will either show a non-existing file, or:
$ crane export cgr.dev/chainguard/python:latest | tar tv | grep etc/ld.so.cache
-rw-r--r-- root/root 3712 1970-01-01 00:00 etc/ld.so.cache
Read on for more details on what happened, required actions, and more,
Announcement date | Planned Change date |
Jul 17, 2025 | Jul 17, 2025 |
What happened?
apko and melange had recent changes involving golang’s os.Create() which inadvertently set certain file permissions to 0666 which is globally writable.
The issue in apko (CVE-2025-53945) has a high severity. It could enable an unprivileged user to inject code that could be executed by other users within the container (including root). Chainguard images have been rebuilt since apko was fixed.
The related issue in melange (CVE-2025-54059) has a low impact. It could enable an unprivileged user to tamper with package SBOMs on a running image, potentially confusing security scanners.Packages rebuilt since July 17, 2025 are not affected. Updated images will be released July 17, 2025 addressing CVE-2025-53945. Updated packages (and subsequent images) will be released over the next several (~3 days) addressing CVE-2025-54059.
What do I need to do?
Pull the latest versions of your images and packages.
No pipeline or config changes are required
If using digest-pinned versions of images, you will need to update the digest you are using
FAQs
Will my images break?
No. This is a non-functional rebuild of all packages and images, addressing incorrect filesystem permissions of some very specific files. Image functionality is unchanged.
How do I check if an image is impacted by CVE-2025-53945?
You can use a tool like crane to inspect an image without running it:
Affected $ crane export cgr.dev/chainguard/glibc-dynamic:latest | \ tar tv | grep etc/ld.so.cache -rw-rw-rw- root/root 1904 1970-01-01 00:00 etc/ld.so.cache
A non-impacted image will either show a non-existing file:
Unaffected $ crane export cgr.dev/chainguard/glibc-dynamic:latest | \ tar tv | grep etc/ld.so.cache <nothing>
or display the correct permissions:
Also Unaffected $ crane export cgr.dev/chainguard/glibc-dynamic:latest | \ tar tv | grep etc/ld.so.cache -rw-r--r-- root/root 1904 1970-01-01 00:00 etc/ld.so.cache
If your container features a shell, you can also validate this from within a running container:
Affected $ ls -l /etc/ld.so.cache -rw-rw-rw- root/root 1904 1970-01-01 00:00 etc/ld.so.cache
Unaffected $ ls -l /etc/ld.so.cache ls: cannot access '/etc/ld.so.cache': No such file or directory
Also Unaffected $ ls -l /etc/ld.so.cache -rw-r--r-- root/root 1904 1970-01-01 00:00 etc/ld.so.cache
How do I check if a package is affected by CVE-2025-54059?
Affected $ ls -l /var/lib/db/sbom total 168 -rw-rw-rw- 1 root root 3593 Jul 2 13:52 apk-tools-2.14.10-r5.spdx.json -rw-rw-rw- 1 root root 3457 Jul 4 06:25 bash-5.3-r0.spdx.json -rw-rw-rw- 1 root root 3132 Jun 17 13:28 busybox-1.37.0-r46.spdx.json -rw-r--r-- 1 root root 3745 Jul 17 16:40 ca-certificates-bundle-20250619-r2.spdx.json -rw-rw-rw- 1 root root 2249 May 28 18:22 chainguard-baselayout-20230214-r13.spdx.json -rw-rw-rw- 1 root root 3304 Jul 16 08:23 curl-8.15.0-r0.spdx.json -rw-rw-rw- 1 root root 3116 May 29 21:49 cyrus-sasl-2.1.28-r42.spdx.json -rw-rw-rw- 1 root root 3106 Jun 23 21:17 gdbm-1.25-r2.spdx.json -rw-rw-rw- 1 root root 3455 Jul 2 16:06 glibc-2.41-r53.spdx.json ...
Or not affected:
Affected $ ls -l /var/lib/db/sbom total 168 -rw-r--r-- 1 root root 3593 Jul 2 13:52 apk-tools-2.14.10-r5.spdx.json -rw-r--r-- 1 root root 3457 Jul 4 06:25 bash-5.3-r0.spdx.json -rw-r--r-- 1 root root 3132 Jun 17 13:28 busybox-1.37.0-r46.spdx.json -rw-r--r-- 1 root root 3745 Jul 17 16:40 ca-certificates-bundle-20250619-r2.spdx.json -rw-r--r-- 1 root root 2249 May 28 18:22 chainguard-baselayout-20230214-r13.spdx.json -rw-r--r-- 1 root root 3304 Jul 16 08:23 curl-8.15.0-r0.spdx.json -rw-r--r-- 1 root root 3116 May 29 21:49 cyrus-sasl-2.1.28-r42.spdx.json -rw-r--r-- 1 root root 3106 Jun 23 21:17 gdbm-1.25-r2.spdx.json -rw-r--r-- 1 root root 3455 Jul 2 16:06 glibc-2.41-r53.spdx.json ...
Need help or have questions?
We're here to help - visit our support portal at support.chainguard.dev.
- Chainguard Team
Comments
0 comments
Article is closed for comments.