Github.Com Moby Buildkit vulnerabilities

CVE-2026-33747 [HIGH] CWE-22 BuildKit's Malicious frontend can cause file escape outside of storage root BuildKit's Malicious frontend can cause file escape outside of storage root ### Impact When using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. ### Patches The issue has been fixed in v0.28.1+ ### Workarounds Issue requires using an untrusted BuildKit frontend set with `#s

CVE-2026-33748 [HIGH] CWE-22 BuildKit Git URL subdir component can cause access to restricted files BuildKit Git URL subdir component can cause access to restricted files ### Impact Insufficient validation of Git URL fragment subdir components (`#:`, [docs](https://docs.docker.com/build/concepts/context/#url-fragments)) may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. ### Patches The issue has been fixed

CVE-2024-23652 [CRITICAL] CWE-22 BuildKit vulnerable to possible host system access from mount stub cleaner BuildKit vulnerable to possible host system access from mount stub cleaner ### Impact A malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid using BuildKit frontend fr

CVE-2024-23653 [CRITICAL] CWE-863 Buildkit's interactive containers API does not validate entitlements check Buildkit's interactive containers API does not validate entitlements check ### Impact In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.in

CVE-2024-23651 [HIGH] CWE-362 BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts ### Impact Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid usin

CVE-2024-23650 [MEDIUM] CWE-754 BuildKit vulnerable to possible panic when incorrect parameters sent from frontend BuildKit vulnerable to possible panic when incorrect parameters sent from frontend ### Impact A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#sy

CVE-2023-26054 [MEDIUM] CWE-200 Buildkit credentials inlined to Git URLs could end up in provenance attestation Buildkit credentials inlined to Git URLs could end up in provenance attestation When the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with cre