CVE-2025-0495 MEDIUM

CVE-2025-0495: Secrets leakage to telemetry endpoint via cache backend configuration via buildx

Vendor Docker
Product buildx
Weakness CWE-532 · Sensitive info in logs
Published March 17, 2025
Last update March 18, 2025

CVSS base score

4.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records. This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication.

Key dates

02Disclosure timeline

March 17, 2025 CVE published
March 18, 2025 Record updated