CVE-2025-6587

EUVD-2025-19843

03.07.2025, 10:15

System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc. 
A malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
Docker	CNA	5.2 MEDIUM	LOCAL	LOW	LOW	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
docker	desktop	𝑥 < 4.43.0	CNA

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs