GHSA-4c29-8rgm-jvjj

Suggest an improvement
Source
https://github.com/advisories/GHSA-4c29-8rgm-jvjj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-4c29-8rgm-jvjj/GHSA-4c29-8rgm-jvjj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4c29-8rgm-jvjj
Aliases
Downstream
Related
Published
2026-03-26T18:26:09Z
Modified
2026-03-27T21:48:05.831094Z
Severity
  • 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
BuildKit's Malicious frontend can cause file escape outside of storage root
Details

Impact

When using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context.

Patches

The issue has been fixed in v0.28.1+

Workarounds

Issue requires using an untrusted BuildKit frontend set with #syntax or --build-arg BUILDKIT_SYNTAX. Using these options with a well-known frontend image like docker/dockerfile is not affected.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "nvd_published_at": "2026-03-27T01:16:21Z",
    "github_reviewed_at": "2026-03-26T18:26:09Z",
    "severity": "HIGH"
}
References

Affected packages

Go / github.com/moby/buildkit

Package

Name
github.com/moby/buildkit
View open source insights on deps.dev
Purl
pkg:golang/github.com/moby/buildkit

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.28.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-4c29-8rgm-jvjj/GHSA-4c29-8rgm-jvjj.json"