What is the severity of CVE-2025-0495?

CVE-2025-0495 is classified as a medium severity vulnerability affecting Docker Buildx.

How do I fix CVE-2025-0495?

To fix CVE-2025-0495, update Docker Buildx to the latest version that addresses this vulnerability.

What software is affected by CVE-2025-0495?

CVE-2025-0495 specifically affects Docker Buildx, which is a CLI plugin for Docker.

What are the potential risks of CVE-2025-0495?

The potential risks of CVE-2025-0495 include exposure of sensitive credentials through user input in cache configurations.

Is there a workaround for CVE-2025-0495?

As a workaround for CVE-2025-0495, avoid using user input for sensitive attributes in cache-to/cache-from configurations.

Vulnerability/
CVE-2025-0495

medium

4.1

CWE

532

17/3/2025

18/3/2025

CVE-2025-0495: Secrets leakage to telemetry endpoint via cache backend configuration via buildx

First published: Mon Mar 17 2025(Updated: )

### Impact Some cache backends allow configuring their credentials by setting secrets directly as attribute values in `cache-to/cache-from` configuration. If this was done by the user, these secure values could be captured together with OpenTelemetry trace as part of the arguments and flags for the traced CLI command. Passing tokens to Github cache backend via environment variables or using registry authentication is not affected. If you passed a token value like this and use a custom OpenTelemetry collector for computing traces you should make sure that your traces are kept secure. OpenTelemetry traces are also saved in BuildKit daemon's history records. ### Patches Issue has been fixed in Buildx v0.21.3 or newer. ### Workarounds Avoid passing cache backend credentials with CLI arguments. Make sure access to traces and BuildKit history records is kept secure.

Credit: security@docker.com

Affected Software	Affected Version	How to fix
Docker Buildx
go/github.com/docker/buildx	<=0.21.2	0.21.3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-0495?
CVE-2025-0495 is classified as a medium severity vulnerability affecting Docker Buildx.
How do I fix CVE-2025-0495?
To fix CVE-2025-0495, update Docker Buildx to the latest version that addresses this vulnerability.
What software is affected by CVE-2025-0495?
CVE-2025-0495 specifically affects Docker Buildx, which is a CLI plugin for Docker.
What are the potential risks of CVE-2025-0495?
The potential risks of CVE-2025-0495 include exposure of sensitive credentials through user input in cache configurations.
Is there a workaround for CVE-2025-0495?
As a workaround for CVE-2025-0495, avoid using user input for sensitive attributes in cache-to/cache-from configurations.

agent/title
agent/weakness
agent/first-publish-date
agent/type
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-api
source/NVD
agent/author
agent/severity
agent/softwarecombine
agent/description
agent/source
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-m4gq-fm9h-8q75
alias/CVE-2025-0495
agent/references
collector/nvd-cve
agent/tags
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/github-advisory
vendor/docker
canonical/docker buildx
package-manager/go

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.