CVE-2025-0495
MEDIUMDocker Buildx < 0.21.3 - Sensitive Information Exposure in OpenTelemetry Traces
Title source: llmDescription
Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records. This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication.
References (1)
Core 1
Core References
Various Sources
https://github.com/docker/buildx
Scores
CVSS v4
4.1
EPSS
0.0017
EPSS Percentile
7.0%
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (2)
docker/buildx
< 0.21.2
docker/buildx
0 - 0.21.3Go
Published
Mar 17, 2025
Tracked Since
Feb 18, 2026