CVE-2025-3911

EUVD-2025-12622

29.04.2025, 18:15

Recording of environment variables, configured for running containers, in Docker Desktop application logs could lead to unintentional disclosure of sensitive information such as api keys, passwords, etc.

A malicious actor with read access to these logs could obtain sensitive credentials information and further use it to gain unauthorized access to other systems. Starting with version 4.41.0, Docker Desktop no longer logs environment variables set by the user.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
Docker	CNA	5.2 MEDIUM	LOCAL	LOW	LOW	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
docker	desktop	𝑥 < 4.41.0	CNA

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs