CVE-2024-23651Race Condition in Buildkit

CWE-362Race ConditionCWE-22Path TraversalCWE-403File Descriptor LeakCWE-668Resource ExposureCWE-863Incorrect Authorization14 documents9 sources
Severity
7.4HIGHNVD
OSV8.7
EPSS
0.5%
top 32.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
Moby BuildkitGithub.com Moby BuildkitMobyproject Buildkit+10 more
Timeline
PublishedJan 31
Latest updateMay 1

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts w

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages13 packages

CVEListV5moby/buildkit< 0.12.5
NVDmobyproject/buildkit< 0.12.5

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
docker.io vulnerabilities2025-05-01
OSV
Host system file access in github.com/moby/buildkit2024-02-13
GHSA
BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts2024-01-31
OSV
BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts2024-01-31
OSV
CVE-2024-23651: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner2024-01-31

📋Vendor Advisories

4
Ubuntu
Docker vulnerabilities2025-05-01
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)2024-02-22
Red Hat
moby/buildkit: possible race condition with accessing subpaths from cache mounts2024-01-31
Microsoft
BuildKit possible race condition with accessing subpaths from cache mounts2024-01-09

🕵️Threat Intelligence

4
Wiz
Crying Out Cloud - March 2024 Newsletter | Wiz2024-03-01
Wiz
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog2024-02-05
Wiz
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog2024-02-05
Bleepingcomputer
Leaky Vessels flaws allow hackers to escape Docker, runc containers2024-02-04