CVE-2025-13743 – Docker Desktop diagnostics bundles inadvertentl... (How to Fix)

Q: What is the severity of CVE-2025-13743?

CVE-2025-13743 has a CVSS score of 7.5 (HIGH). Docker Desktop diagnostics bundles inadvertently include expired Personal Access Tokens (PATs) in log output due to error object serialization issues. This vulnerability allows sensitive credential leakage when diagnostics are exported, particularly affecting users who generate troubleshooting bundles after encountering access denied errors.

📋 TL;DR

Docker Desktop diagnostics bundles inadvertently include expired Personal Access Tokens (PATs) in log output due to error object serialization issues. This vulnerability allows sensitive credential leakage when diagnostics are exported, particularly affecting users who generate troubleshooting bundles after encountering access denied errors.

💻 Affected Systems

Products:

Docker Desktop

Versions: Versions prior to the fix (specific version TBD from vendor advisory)

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who generate diagnostics bundles via the Troubleshoot menu, particularly when Hub authentication errors occur.

📦 What is this software?

Docker Desktop by Docker

View all CVEs affecting Docker Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Expired PATs could be recovered and potentially used to gain unauthorized access to Docker Hub repositories if tokens were still valid or if similar patterns reveal current tokens.

🟠

Likely Case

Sensitive credentials exposed in diagnostic logs could be accessed by unauthorized personnel or attackers with access to exported diagnostic files.

🟢

If Mitigated

With proper access controls and log sanitization, the risk is limited to authorized personnel who handle diagnostic bundles.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to exported diagnostic bundles, which are typically generated by authorized users for troubleshooting purposes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Docker Desktop release notes for specific version

Vendor Advisory: https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#troubleshoot-menu

Restart Required: Yes

Instructions:

1. Open Docker Desktop
2. Check for updates in Settings
3. Install the latest version
4. Restart Docker Desktop

🔧 Temporary Workarounds

Disable diagnostics export

all

Prevent generation of diagnostics bundles that may contain sensitive information

Manual log sanitization

all

Manually review and redact sensitive information from diagnostic bundles before sharing

🧯 If You Can't Patch

Restrict access to diagnostic bundles to authorized personnel only
Implement strict access controls on directories containing diagnostic files

🔍 How to Verify

Check if Vulnerable:

Check Docker Desktop version against patched version in release notes

Check Version:

docker --version

Verify Fix Applied:

Update to latest version and verify diagnostics no longer contain PATs in error logs

📡 Detection & Monitoring

Log Indicators:

Diagnostic bundles containing 'pat_' strings or Docker Hub authentication tokens in log files

Network Indicators:

Unauthorized Docker Hub API calls using leaked tokens

SIEM Query:

Search for 'pat_' OR 'docker.io' token patterns in log files and diagnostic archives

📊 Metadata

CVE ID: CVE-2025-13743

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

EPSS Score: 0.03% exploit probability (8.7th percentile)

Published: December 9, 2025

Last Updated: January 30, 2026

🔗 References

https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#troubleshoot-menu Mitigation

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13743, you might also want to check these: