Login Sign Up

CVE-2024-23651

8.7 HIGH

📋 TL;DR

This CVE describes a race condition vulnerability in BuildKit where two malicious build steps running in parallel with shared cache mounts could allow unauthorized access to host system files from within the build container. This affects organizations using BuildKit for container builds, particularly in CI/CD pipelines. The vulnerability requires specific cache mount configurations to be exploitable.

💻 Affected Systems

Products:
  • moby/buildkit
Versions: All versions before v0.12.5
Operating Systems: All platforms running BuildKit
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using cache mounts with subpaths in parallel build steps from untrusted sources.

📦 What is this software?

Buildkit by Mobyproject

View all CVEs affecting Buildkit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could exfiltrate sensitive host system files including secrets, configuration files, or source code, potentially leading to complete system compromise.

🟠

Likely Case

Unauthorized access to build environment files, potentially exposing build secrets or temporary files, but requiring specific malicious build configurations.

🟢

If Mitigated

Limited impact with proper access controls, isolated build environments, and trusted build sources only.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires control over build steps and specific cache mount configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.12.5

Vendor Advisory: https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv

Restart Required: Yes

Instructions:

1. Stop all BuildKit services. 2. Update BuildKit to v0.12.5 or later. 3. Restart BuildKit services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Avoid untrusted build sources

all

Do not use BuildKit frontends from untrusted sources or build untrusted Dockerfiles containing cache mounts.

Disable cache mounts for untrusted builds

all

Avoid using --mount=type=cache,source=... options when building from untrusted sources.

🧯 If You Can't Patch

  • Isolate build environments using container namespaces or virtual machines
  • Implement strict access controls and audit all build configurations for cache mount usage

🔍 How to Verify

Check if Vulnerable:

Check BuildKit version: buildkitd --version. If version is below 0.12.5 and using cache mounts with parallel builds, system is vulnerable.

Check Version:

buildkitd --version

Verify Fix Applied:

Verify BuildKit version is 0.12.5 or higher: buildkitd --version

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns in build logs
  • Multiple parallel build steps accessing same cache mounts

Network Indicators:

  • Unexpected outbound connections from build containers during cache operations

SIEM Query:

source="buildkit" AND ("cache mount" OR "--mount=type=cache") AND "parallel"

📊 Metadata

CVE ID: CVE-2024-23651
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-362
Published: January 31, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23651, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)