Summary
The tap CNI plugin binary shipped in the amazon-k8s-cni-init container image contains github.com/opencontainers/selinux v1.12.0, which is affected by CVE-2025-52881 (CVSS 7.3 High — Race Condition Enabling Link Following in go-selinux).
The fix is to bump FETCH_VERSION in the Makefile from containernetworking/plugins v1.9.0 to v1.9.1, which updates opencontainers/selinux from v1.12.0 to v1.13.0 (the patched version). The latest available opencontainers/selinux is v1.15.0.
Affected Component
- Binary:
/opt/cni/bin/tap (inside amazon-k8s-cni-init image)
- Vulnerable dependency:
github.com/opencontainers/selinux v1.12.0 (transitive via containernetworking/plugins v1.9.0)
- CVE: CVE-2025-52881
- Fixed in:
github.com/opencontainers/selinux >= v1.13.0 (opencontainers/selinux#237)
- Upstream fix:
containernetworking/plugins v1.9.1 bumps selinux to v1.13.0
Affected VPC CNI Versions
All available versions ship the vulnerable binary (verified via Trivy scan):
| VPC CNI Version |
selinux version in tap |
Vulnerable? |
| v1.22.1-eksbuild.2 |
v1.12.0 |
Yes |
| v1.21.2-eksbuild.2 |
v1.12.0 |
Yes |
| v1.19.2-eksbuild.1 |
v1.11.0 |
Yes |
How We Verified
# Confirmed the vulnerable library is compiled into the tap binary on EKS nodes:
kubectl debug node/<node> -it --image=public.ecr.aws/amazonlinux/amazonlinux:2023 \
-- grep -ao 'opencontainers/selinux[^ ]*' /host/opt/cni/bin/tap
# Output:
# opencontainers/selinux v1.12.0
# Also confirmed via Trivy scan of the init image:
trivy image 602401143452.dkr.ecr.us-east-2.amazonaws.com/amazon-k8s-cni-init:v1.22.1-eksbuild.2
# Target: init/tap, Package: github.com/opencontainers/selinux, Version: v1.12.0
Proposed Fix
Bump FETCH_VERSION in the Makefile from 1.9.0 to 1.9.1:
- plugins: FETCH_VERSION=1.9.0
+ plugins: FETCH_VERSION=1.9.1
This ensures the CNI plugins are built against containernetworking/plugins v1.9.1 which includes opencontainers/selinux v1.13.0 (the CVE fix).
I will be submitting a pull request with this change shortly.
References
Environment
- EKS v1.35.5
- VPC CNI v1.22.1-eksbuild.2
- Node AMI: Amazon Linux 2023.11.20260526
- Scanner: Wiz
Summary
The
tapCNI plugin binary shipped in theamazon-k8s-cni-initcontainer image containsgithub.com/opencontainers/selinux v1.12.0, which is affected by CVE-2025-52881 (CVSS 7.3 High — Race Condition Enabling Link Following in go-selinux).The fix is to bump
FETCH_VERSIONin the Makefile fromcontainernetworking/plugins v1.9.0tov1.9.1, which updatesopencontainers/selinuxfrom v1.12.0 to v1.13.0 (the patched version). The latest availableopencontainers/selinuxis v1.15.0.Affected Component
/opt/cni/bin/tap(insideamazon-k8s-cni-initimage)github.com/opencontainers/selinux v1.12.0(transitive viacontainernetworking/plugins v1.9.0)github.com/opencontainers/selinux >= v1.13.0(opencontainers/selinux#237)containernetworking/plugins v1.9.1bumps selinux to v1.13.0Affected VPC CNI Versions
All available versions ship the vulnerable binary (verified via Trivy scan):
tapHow We Verified
Proposed Fix
Bump
FETCH_VERSIONin the Makefile from1.9.0to1.9.1:This ensures the CNI plugins are built against
containernetworking/plugins v1.9.1which includesopencontainers/selinux v1.13.0(the CVE fix).I will be submitting a pull request with this change shortly.
References
Environment