WORKDIR should not be mounted on system dirs

ID

sys_workdir_mounts

Severity

critical

Family

Container Security

Tags

container-escape, dockerfile, security, supply-chain

Description

WORKDIR should not be mounted on system directories to avoid container breakouts.

Security

The "leaky vessels" family of vulnerabilities, CVE-2024-21626 and others, essentially tries to escape container isolation using WORKDIR instruction handling.

Reference: OpenSSF post about Leaky Vessels vulnerabilities.

Examples

FROM alpine:3.5
RUN apk add --update py2-pip
# issue, /proc is a system directory
WORKDIR /proc/self/fd/1

Mitigation / Fix

FROM alpine:3.5
RUN apk add --update py2-pip
# fixed, normal directory as workdir
WORKDIR /app