CVE-2024-23650
MEDIUM5.3EPSS 0.11%BuildKit vulnerable to possible panic when incorrect parameters sent from frontend
Published: 1/31/2024Modified: 2/4/2026
Description
### Impact A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command. ### References
Affected packages (2)
- Go/github.com/moby/buildkitfrom 0, < 0.12.5
- Go/github.com/moby/buildkitfrom 0, < 0.12.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-23650
- PATCHhttps://github.com/moby/buildkit
- WEBhttps://github.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987
- WEBhttps://github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c
- WEBhttps://github.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee
- WEBhttps://github.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae
- WEBhttps://github.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330
- WEBhttps://github.com/moby/buildkit/pull/4601
- WEBhttps://github.com/moby/buildkit/releases/tag/v0.12.5
- WEBhttps://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx