CVE-2025-0495

17.03.2025, 20:15

Buildx is a Docker CLI plugin that extends build capabilities using BuildKit.

Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-fromconfiguration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command.OpenTelemetry traces are also saved in BuildKit daemon's history records.

This vulnerability does not impact secrets passed to the Github cache backendvia environment variables or registry authentication.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Docker	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Ubuntu Releases

Ubuntu Product

Codename

docker-buildx

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://github.com/docker/buildx