CVE-2024-23652 — Path Traversal in Buildkit

CWE-22 — Path Traversal CWE-362 — Race Condition CWE-403 — File Descriptor Leak CWE-668 — Resource Exposure CWE-863 — Incorrect Authorization14 documents9 sources

Severity

9.1CRITICALNVD

OSV8.7

EPSS

5.7%

top 9.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moby Buildkit Github.com Moby Buildkit Mobyproject Buildkit +10 more

Timeline

PublishedJan 31

Latest updateMay 1

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount f…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages13 packages

▶CVEListV5moby/buildkit< 0.12.5

▶NVDmobyproject/buildkit< 0.12.5

▶Gogithub.com/moby_buildkit< 0.12.5

▶Palo Altopaloalto/cortex_xsoar

▶Palo Altopaloalto/prisma_cloud

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

docker.io vulnerabilities↗2025-05-01

▶

OSV

Host system modification in github.com/moby/buildkit↗2024-02-12

▶

GHSA

BuildKit vulnerable to possible host system access from mount stub cleaner↗2024-01-31

▶

OSV

CVE-2024-23652: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner↗2024-01-31

▶

OSV

BuildKit vulnerable to possible host system access from mount stub cleaner↗2024-01-31

▶

📋Vendor Advisories

Ubuntu

Docker vulnerabilities↗2025-05-01

▶

Palo Alto

PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)↗2024-02-22

▶

Red Hat

moby/buildkit: possible host system access from mount stub cleaner↗2024-01-31

▶

Microsoft

BuildKit possible host system access from mount stub cleaner↗2024-01-09

▶

🕵️Threat Intelligence

Wiz

Crying Out Cloud - March 2024 Newsletter | Wiz↗2024-03-01

▶

Wiz

Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog↗2024-02-05

▶

Wiz

Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog↗2024-02-05

▶

Bleepingcomputer

Leaky Vessels flaws allow hackers to escape Docker, runc containers↗2024-02-04

▶