CVE-2025-3911 Overview
CVE-2025-3911 affects Docker Desktop, where the application records container environment variables in its application logs. Environment variables frequently contain sensitive data such as API keys, database passwords, and authentication tokens. A local actor with read access to these log files can harvest those credentials and reuse them to pivot into other systems. Docker addressed the issue in version 4.41.0, after which Docker Desktop no longer writes user-defined environment variables to disk logs. The flaw is tracked under CWE-532: Insertion of Sensitive Information into Log File.
Critical Impact
Local attackers reading Docker Desktop logs can extract container secrets and use them to gain unauthorized access to downstream cloud services, databases, and APIs.
Affected Products
- Docker Desktop versions prior to 4.41.0
- Docker Desktop on Windows, macOS, and Linux host platforms
- Containers launched through Docker Desktop with environment variables containing secrets
Discovery Timeline
- 2025-04-29 - CVE-2025-3911 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-3911
Vulnerability Analysis
The vulnerability is an information disclosure flaw rooted in insecure logging behavior. When users start containers through Docker Desktop and pass environment variables using -e flags, Compose files, or the GUI, the Docker Desktop process writes those variable names and values into its application log files. These logs persist on the host file system and follow the operating system's default file permissions.
Developers and operators commonly inject secrets into containers using environment variables. Typical examples include AWS_SECRET_ACCESS_KEY, DATABASE_PASSWORD, GITHUB_TOKEN, and arbitrary API keys. When Docker Desktop captures these values, the secrets remain readable inside text-based log files long after the container has stopped.
Root Cause
The root cause is the absence of secret-aware log redaction in the Docker Desktop logging subsystem. The application treated container launch parameters as routine diagnostic data and serialized them verbatim. No allowlist, denylist, or pattern-based masking filtered values associated with environment variables before they reached persistent storage.
Attack Vector
Exploitation requires local access to the host system and permission to read Docker Desktop log files. An attacker who already has a foothold on the workstation, such as a low-privileged user or a malicious process, can enumerate the log directory referenced in the Docker Desktop Troubleshooting Guide. The attacker then parses logged environment variables and extracts credentials. The harvested secrets can be replayed against cloud providers, source code repositories, or production databases, expanding the breach beyond the original host.
Detection Methods for CVE-2025-3911
Indicators of Compromise
- Docker Desktop log files containing plaintext environment variable assignments such as TOKEN=, PASSWORD=, SECRET=, or KEY= values
- Unexpected read access to Docker Desktop log directories by non-administrative users or background processes
- Outbound authentication attempts to cloud APIs from hosts where the corresponding credentials were only present in container environment variables
Detection Strategies
- Scan Docker Desktop log files on developer workstations for high-entropy strings and common secret prefixes such as AKIA, ghp_, or xoxb-
- Audit file access events on Docker Desktop log paths and alert on reads by processes other than the Docker daemon itself
- Correlate credential use in cloud audit logs against the hosts and identities authorized to hold those credentials
Monitoring Recommendations
- Inventory all endpoints running Docker Desktop and confirm whether the installed version is 4.41.0 or later
- Enable endpoint telemetry on log directories to capture file open and copy operations by non-Docker processes
- Rotate any secret that may have been passed to containers as an environment variable on a vulnerable Docker Desktop version
How to Mitigate CVE-2025-3911
Immediate Actions Required
- Upgrade Docker Desktop to version 4.41.0 or later on every developer and engineering workstation
- Rotate API keys, tokens, and passwords that were previously supplied to containers as environment variables
- Restrict file system permissions on Docker Desktop log directories so only administrators and the Docker service account can read them
- Purge or securely delete existing Docker Desktop log files that may contain captured secrets
Patch Information
Docker released the fix in Docker Desktop version 4.41.0. Starting with that release, Docker Desktop no longer logs environment variables set by the user. Administrators should validate the installed version using docker version and the Docker Desktop About dialog after upgrading.
Workarounds
- Pass secrets to containers using Docker secrets or mounted files instead of -e environment variables when running unpatched versions
- Use a dedicated secrets manager such as a vault service and inject values at runtime through APIs rather than container environment definitions
- Apply strict access control lists on the Docker Desktop log directory to limit exposure until patching completes
# Configuration example
# Verify Docker Desktop version meets the patched baseline
docker version --format '{{.Client.Version}}'
# Prefer file-based secrets over environment variables
docker run --rm \
--mount type=bind,source=/run/secrets/db_password,target=/run/secrets/db_password,readonly \
myapp:latest
# Restrict access to Docker Desktop logs (Linux/macOS example)
chmod 700 ~/Library/Containers/com.docker.docker/Data/log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
