CVE-2024-23652

CRITICAL10.0EPSS 5.7%

BuildKit vulnerable to possible host system access from mount stub cleaner

Published: 1/31/2024Modified: 2/4/2026

Description

### Impact A malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing `RUN --mount` feature. ### References

Affected packages (2)

Go/github.com/moby/buildkitfrom 0, < 0.12.5
Go/github.com/moby/buildkitfrom 0, < 0.12.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-23652
PATCHhttps://github.com/moby/buildkit
WEBhttps://github.com/moby/buildkit/pull/4603
WEBhttps://github.com/moby/buildkit/releases/tag/v0.12.5
WEBhttps://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8