CVE-2025-0495

Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records. This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication.

CVSS

No CVSS.

References

Link	Resource
https://github.com/docker/buildx

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Buildx es un complemento de Docker CLI que amplía las capacidades de compilación mediante BuildKit. Los backends de caché admiten credenciales configurando secretos directamente como valores de atributo en la configuración de caché de origen/destino. Al proporcionarse como entrada del usuario, estos valores seguros pueden capturarse accidentalmente en los seguimientos de OpenTelemetry como parte de los argumentos y marcas del comando CLI rastreado. Los seguimientos de OpenTelemetry también se guardan en los registros históricos del demonio de BuildKit. Esta vulnerabilidad no afecta a los secretos transferidos al backend de caché de Github mediante variables de entorno ni autenticación de registro.

17 Mar 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-17 20:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-0495

Mitre link : CVE-2025-0495

CVE.ORG link : CVE-2025-0495

JSON object : View

Products Affected

No product.

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2025-0495", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@docker.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.1, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-17T20:15:13.737", "references": [{"url": "https://github.com/docker/buildx", "source": "security@docker.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@docker.com", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Buildx is a Docker CLI plugin that extends build capabilities using BuildKit.\n\nCache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from\u00a0configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command.\u00a0OpenTelemetry traces are also saved in BuildKit daemon's history records.\n\n\nThis vulnerability does not impact secrets passed to the Github cache backend\u00a0via environment variables or registry authentication."}, {"lang": "es", "value": "Buildx es un complemento de Docker CLI que ampl\u00eda las capacidades de compilaci\u00f3n mediante BuildKit. Los backends de cach\u00e9 admiten credenciales configurando secretos directamente como valores de atributo en la configuraci\u00f3n de cach\u00e9 de origen/destino. Al proporcionarse como entrada del usuario, estos valores seguros pueden capturarse accidentalmente en los seguimientos de OpenTelemetry como parte de los argumentos y marcas del comando CLI rastreado. Los seguimientos de OpenTelemetry tambi\u00e9n se guardan en los registros hist\u00f3ricos del demonio de BuildKit. Esta vulnerabilidad no afecta a los secretos transferidos al backend de cach\u00e9 de Github mediante variables de entorno ni autenticaci\u00f3n de registro."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security@docker.com"}