CVE-2025-0495 Overview
Docker Buildx, a CLI plugin that extends Docker build capabilities using BuildKit, contains an information disclosure vulnerability affecting cache backend credential handling. When cache backends are configured with credentials supplied directly as attribute values in cache-to or cache-from configuration, these sensitive values may be inadvertently captured in OpenTelemetry traces. The exposed credentials become part of the arguments and flags for the traced CLI command and are also persisted in BuildKit daemon's history records.
This vulnerability represents a significant concern for CI/CD environments and development workflows where cache backend credentials are passed as user input rather than through secure mechanisms.
Critical Impact
Sensitive cache backend credentials may be exposed through OpenTelemetry telemetry data and BuildKit daemon history, potentially allowing unauthorized access to cache storage systems.
Affected Products
- Docker Buildx CLI plugin (versions prior to patch)
- BuildKit daemon with OpenTelemetry tracing enabled
- CI/CD systems utilizing Buildx cache backends with inline credentials
Discovery Timeline
- 2025-03-17 - CVE CVE-2025-0495 published to NVD
- 2025-03-17 - Last updated in NVD database
Technical Details for CVE-2025-0495
Vulnerability Analysis
This vulnerability falls under CWE-532 (Insertion of Sensitive Information into Log File), where sensitive credential data is inadvertently written to telemetry and history records. The issue arises from the way Docker Buildx processes cache backend configuration parameters. When users specify credentials directly in the cache-to or cache-from flags, these values are captured in their entirety by the OpenTelemetry instrumentation layer.
The exposure occurs in two distinct locations: OpenTelemetry trace data, which may be exported to external monitoring systems, and BuildKit daemon history records stored locally. This dual exposure pathway increases the risk surface, as credentials could be accessed through either the telemetry infrastructure or direct access to the BuildKit daemon's storage.
It's important to note that this vulnerability does not impact credentials passed to the GitHub cache backend via environment variables or registry authentication mechanisms, which use more secure credential handling paths.
Root Cause
The root cause lies in insufficient sanitization of command-line arguments before they are captured by OpenTelemetry instrumentation. The Buildx CLI passes cache backend configuration, including embedded credentials, directly to the tracing layer without redacting sensitive values. The design assumed credentials would be provided through secure channels (environment variables, credential helpers) rather than inline in configuration attributes.
Attack Vector
The attack vector requires local access to either the OpenTelemetry trace collection endpoint or the BuildKit daemon's history storage. An attacker with access to these data stores could extract cache backend credentials by examining traced CLI commands or daemon history entries. This is particularly concerning in shared development environments, multi-tenant CI/CD systems, or scenarios where telemetry data is aggregated to centralized monitoring platforms with broad access.
The vulnerability can be exploited by:
- Accessing OpenTelemetry trace exports containing Buildx command traces
- Querying BuildKit daemon history records
- Intercepting telemetry data in transit to collection endpoints
Detection Methods for CVE-2025-0495
Indicators of Compromise
- Unusual access patterns to BuildKit daemon history files
- Unauthorized queries to OpenTelemetry trace storage
- Anomalous authentication attempts using cache backend credentials
- Unexpected access to telemetry collection endpoints
Detection Strategies
- Monitor access logs for BuildKit daemon storage directories
- Audit OpenTelemetry collector access and query patterns
- Review CI/CD pipeline logs for inline credential usage in Buildx commands
- Implement alerting on suspicious authentication to cache backend systems
Monitoring Recommendations
- Enable comprehensive audit logging on telemetry collection infrastructure
- Monitor for credential usage from unexpected sources or locations
- Implement anomaly detection on cache backend authentication patterns
- Track access to BuildKit daemon state directories
How to Mitigate CVE-2025-0495
Immediate Actions Required
- Audit existing Buildx configurations for inline credentials in cache-to and cache-from flags
- Migrate cache backend credentials to environment variables or secure credential helpers
- Review and rotate any credentials that may have been exposed through telemetry
- Restrict access to OpenTelemetry trace data and BuildKit daemon history
Patch Information
Organizations should monitor the Docker Buildx GitHub Repository for security updates addressing this vulnerability. Apply patches as they become available and upgrade to patched versions of Docker Buildx and BuildKit.
Workarounds
- Use environment variables instead of inline attribute values for cache backend credentials
- Configure registry authentication through Docker's credential helper system
- Disable or restrict OpenTelemetry tracing in sensitive environments until patched
- Implement access controls on BuildKit daemon history storage
- Purge existing BuildKit history that may contain exposed credentials
# Configuration example - Use environment variables instead of inline credentials
# Avoid this pattern (vulnerable):
# docker buildx build --cache-to type=s3,access_key=AKIAXXXXXXXX,secret_key=secret123
# Use this pattern instead (secure):
export AWS_ACCESS_KEY_ID=AKIAXXXXXXXX
export AWS_SECRET_ACCESS_KEY=secret123
docker buildx build --cache-to type=s3,region=us-east-1,bucket=my-cache
# Clear BuildKit daemon history to remove potentially exposed credentials
docker buildx prune --all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
