CVE-2025-13743 Overview
CVE-2025-13743 affects Docker Desktop, where diagnostics bundles inadvertently include expired Docker Hub Personal Access Tokens (PATs) in log output. The exposure stems from error object serialization during access denied conditions, which writes token material into diagnostic logs. When users export diagnostics bundles for troubleshooting or support purposes, the sensitive token data travels with the archive. This information disclosure issue is categorized under [CWE-532] (Insertion of Sensitive Information into Log File). While the leaked tokens are expired, their presence in shared diagnostic artifacts creates a credential hygiene concern and could aid reconnaissance against Docker Hub accounts.
Critical Impact
Expired Docker Hub Personal Access Tokens are written to Docker Desktop diagnostics bundles through error serialization, exposing sensitive identifiers when logs are shared with support staff or third parties.
Affected Products
- Docker Desktop (all versions prior to the vendor fix)
- Docker Desktop on Windows, macOS, and Linux hosts
- Diagnostic bundles generated via the Troubleshoot menu
Discovery Timeline
- 2025-12-09 - CVE-2025-13743 published to NVD
- 2026-01-30 - Last updated in NVD database
Technical Details for CVE-2025-13743
Vulnerability Analysis
The vulnerability is an information disclosure issue rooted in how Docker Desktop serializes error objects during authentication failures. When a request to Docker Hub returns an access denied response, the client constructs an error object that retains the originating Hub Personal Access Token. The serialization routine then writes the full error structure into the application log stream. Although the token has expired by the time of serialization, the value remains a sensitive identifier tied to a user account. When a user invokes the Troubleshoot menu to generate a diagnostics bundle, the affected log files are packaged into the exported archive. Recipients of the bundle, including support engineers or anyone with access to the file, can recover the leaked PAT material. The flaw is local in nature and requires a low-privileged user to trigger the diagnostic export, but the resulting artifact is portable and frequently shared outside the original trust boundary.
Root Cause
The root cause is unsafe error object serialization combined with insufficient sanitization of log content. Docker Desktop's logging path captures the entire error payload, including secret material passed to the failed Hub API call, rather than redacting credential fields before writing to disk.
Attack Vector
Exploitation requires local access to the Docker Desktop host and user interaction to produce a diagnostics bundle. An attacker who obtains a shared bundle, intentionally or accidentally, can parse the contained logs to extract expired PATs and correlate them with the user's Docker Hub identity for further targeting.
No public exploit code is available for this issue. The vulnerability manifests through standard diagnostic export workflows rather than a discrete code path that can be demonstrated with a single payload.
Detection Methods for CVE-2025-13743
Indicators of Compromise
- Diagnostic bundle archives generated by Docker Desktop containing log entries with serialized authentication error objects
- Presence of Docker Hub PAT-formatted strings (dckr_pat_*) within exported log files
- Diagnostic bundles transmitted via email, ticketing systems, or chat platforms to external recipients
Detection Strategies
- Scan stored or transmitted Docker Desktop diagnostics archives for token patterns matching Docker Hub PAT prefixes.
- Inspect log files inside diagnostic bundles for serialized error objects referencing Hub authentication or access denied conditions.
- Audit ticketing systems and shared storage locations where users typically upload Docker support artifacts.
Monitoring Recommendations
- Monitor outbound file transfers containing .zip archives originating from Docker Desktop troubleshooting workflows.
- Track Docker Hub PAT creation and revocation events for accounts whose owners have generated diagnostic bundles.
- Alert on Data Loss Prevention (DLP) matches for Docker Hub token regex patterns leaving the corporate environment.
How to Mitigate CVE-2025-13743
Immediate Actions Required
- Upgrade Docker Desktop to the latest vendor-supplied release that addresses error serialization in diagnostic logs.
- Revoke and rotate any Docker Hub Personal Access Tokens that may have appeared in previously generated diagnostic bundles.
- Purge historical diagnostic archives from internal storage, ticketing systems, and email until they can be sanitized.
Patch Information
Docker has documented the diagnostic export workflow and remediation guidance in the Docker Desktop Troubleshooting Guide. Apply the latest Docker Desktop update on all developer workstations and confirm the version through docker version after installation.
Workarounds
- Manually inspect diagnostics bundles and remove log files containing serialized Hub error objects before sharing.
- Restrict Docker Hub PAT scope and lifetime so that leaked, expired tokens carry minimal residual value.
- Establish an internal policy requiring diagnostic bundles to be reviewed by a security-aware engineer prior to external transmission.
# Configuration example
# Verify Docker Desktop version after patching
docker version --format '{{.Client.Version}}'
# Revoke a potentially exposed Docker Hub PAT via the Docker Hub UI:
# Account Settings -> Security -> Personal access tokens -> Revoke
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
