CVE-2025-0495

Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records.

This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication.

References

Affected packages

Debian:13 / docker-buildx

Package

Name: docker-buildx
Purl: pkg:deb/debian/docker-buildx?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.13.1+ds1-3

Affected versions

0.*

0.13.1+ds1-1

0.13.1+ds1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}