Podman Improper Certificate Validation; machine missing TLS verification
High severity
GitHub Reviewed
Published
Jun 24, 2025
in
podman-container-tools/podman
•
Updated Nov 29, 2025
Description
Published by the National Vulnerability Database
Jun 24, 2025
Published to the GitHub Advisory Database
Jun 25, 2025
Reviewed
Jun 25, 2025
Last updated
Nov 29, 2025
Impact
The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack.
Patches
podman-container-tools/podman@726b506
Fixed in v5.5.2
Workarounds
Download the disk image manually via some other tool that verifies the TLS connection. Then pass the local image as file path (podman machine init --image ./somepath)
References