Skip to content

OSG-SEC-2021-05-27 Vulnerability in Singularity

Dear OSG Security Contacts,

A security vulnerability in Singularity has been publicly announced [1]. Under conditions unlikely to occur for OSG users, it is possible for someone to publish a malicious container that takes priority over a container that a user is expecting to run.

The OSG Security team considers the vulnerability to be of MODERATE severity.


Singularity 3.7.2 and 3.7.3


By default, singularity commands that use “library://” for downloading containers read those containers from That is a publicly accessible server and anyone may freely create an account there for storing containers, similar to Docker Hub. Users can also choose to redirect “library://” references to a private server with the singularity “remote” command. The vulnerability is that the singularity action commands (run/shell/exec) always try to download from first, so someone could publish a container there with the same name as a container on the private server and the untrusted container from the public server would instead be used.


If you have Singularity 3.7.2 or 3.7.3 installed and think some of your users might be using a private server for library:// containers, notify them to either not use it until 3.7.4 is available in EPEL or to create an identical account name for themselves on



Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team