CVE-2024-23651

HIGH8.7EPSS 0.55%

BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts

Published: 1/31/2024Modified: 2/4/2026

Description

### Impact Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with `--mount=type=cache,source=...` options. ### References https://www.openwall.com/lists/oss-security/2019/05/28/1

Affected packages (2)

Go/github.com/moby/buildkitfrom 0, < 0.12.5
Go/github.com/moby/buildkitfrom 0, < 0.12.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-23651
PATCHhttps://github.com/moby/buildkit
WEBhttps://github.com/moby/buildkit/pull/4604
WEBhttps://github.com/moby/buildkit/releases/tag/v0.12.5
WEBhttps://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv