CVE-2025-0495

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-0495
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0495.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-0495
Aliases
Related
Published
2025-03-17T20:15:13Z
Modified
2025-04-14T05:40:09.262260Z
Downstream
Summary
[none]
Details

Buildx is a Docker CLI plugin that extends build capabilities using BuildKit.

Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records.

This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication.

References

Affected packages

Debian:13 / docker-buildx

Package

Name
docker-buildx
Purl
pkg:deb/debian/docker-buildx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.13.1+ds1-3

Affected versions

0.*

0.13.1+ds1-1
0.13.1+ds1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}