Login Sign Up

CVE-2024-23652

10.0 CRITICAL
Path Traversal

📋 TL;DR

This vulnerability in BuildKit allows malicious Dockerfiles or BuildKit frontends using RUN --mount to delete arbitrary files on the host system. It affects anyone using BuildKit to build containers from untrusted sources. The CVSS 10.0 score indicates maximum severity with no authentication required.

💻 Affected Systems

Products:
  • moby/buildkit
  • Docker BuildKit
Versions: All versions before v0.12.5
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable when using RUN --mount feature in Dockerfiles or untrusted BuildKit frontends.

📦 What is this software?

Buildkit by Mobyproject

View all CVEs affecting Buildkit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host system compromise through deletion of critical system files, leading to data loss, service disruption, or privilege escalation.

🟠

Likely Case

Malicious Dockerfile from untrusted registry or CI/CD pipeline deletes configuration files, application data, or system files on the build host.

🟢

If Mitigated

Limited impact when building only trusted Dockerfiles in isolated environments with proper access controls.

🌐 Internet-Facing: HIGH - Build servers exposed to internet or pulling from public registries are directly vulnerable.
🏢 Internal Only: MEDIUM - Internal build pipelines could be compromised through supply chain attacks or insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires only a malicious Dockerfile with RUN --mount; no special privileges needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.12.5

Vendor Advisory: https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8

Restart Required: Yes

Instructions:

1. Update BuildKit to v0.12.5 or later. 2. For Docker: Update Docker Engine to version containing BuildKit v0.12.5. 3. Restart Docker daemon or BuildKit service.

🔧 Temporary Workarounds

Avoid untrusted BuildKit frontends

all

Do not use BuildKit frontends from untrusted sources.

Disable RUN --mount for untrusted builds

all

Avoid building Dockerfiles containing RUN --mount from untrusted sources.

DOCKER_BUILDKIT=0 docker build .

🧯 If You Can't Patch

  • Isolate build environments using containers or VMs with minimal host access
  • Implement strict source control for Dockerfiles and only build from trusted repositories

🔍 How to Verify

Check if Vulnerable:

Check BuildKit version: docker buildx version | grep github.com/moby/buildkit

Check Version:

docker buildx version

Verify Fix Applied:

Confirm version is v0.12.5 or higher: docker buildx version

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file deletion events in host system logs during container builds
  • BuildKit errors related to mount operations

Network Indicators:

  • Build requests from untrusted sources to build servers

SIEM Query:

source="docker" AND "build" AND ("RUN --mount" OR "mountpoint")

📊 Metadata

CVE ID: CVE-2024-23652
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
CWE: CWE-22
Published: January 31, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23652, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)