/
DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2025-0495

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-0495

CGA ID

CGA-6v2x-x523-5635

Severity

Unknown

Description

Buildx is a Docker CLI plugin that extends build capabilities using BuildKit.

Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records.

This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication.

References

  • https://images.chainguard.dev/security/CGA-6v2x-x523-5635
  • https://github.com/advisories/GHSA-m4gq-fm9h-8q75
  • https://github.com/docker/buildx
  • https://security-tracker.debian.org/tracker/CVE-2025-0495

Affected packages

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsPricingContact UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogEventsTrust CenterDocumentation