GHSA-4vrq-3vrq-g6gg

Suggest an improvement
Source
https://github.com/advisories/GHSA-4vrq-3vrq-g6gg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-4vrq-3vrq-g6gg/GHSA-4vrq-3vrq-g6gg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4vrq-3vrq-g6gg
Aliases
Downstream
Related
Published
2026-03-26T18:27:49Z
Modified
2026-03-27T21:49:53.372965Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
BuildKit Git URL subdir component can cause access to restricted files
Details

Impact

Insufficient validation of Git URL fragment subdir components (<url>#<ref>:<subdir>, docs) may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem.

Patches

The issue has been fixed in version v0.28.1

Workarounds

The issue affects only builds that use Git URLs with a subpath component. Avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22",
        "CWE-59"
    ],
    "nvd_published_at": "2026-03-27T15:16:57Z",
    "github_reviewed_at": "2026-03-26T18:27:49Z",
    "severity": "HIGH"
}
References

Affected packages

Go / github.com/moby/buildkit

Package

Name
github.com/moby/buildkit
View open source insights on deps.dev
Purl
pkg:golang/github.com/moby/buildkit

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.28.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-4vrq-3vrq-g6gg/GHSA-4vrq-3vrq-g6gg.json"