CVE-2025-54388
BaseFortify
Publication date: 2025-07-30
Last updated on: 2025-09-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mobyproject | moby | From 28.2.0 (inc) to 28.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-909 | The product does not initialize a critical resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Moby versions 28.2.0 through 28.3.2 when the firewalld service is reloaded. The reload removes all iptables rules, including those created by Docker. Although Docker is supposed to recreate these rules automatically, versions before 28.3.3 fail to restore the specific rules that block external access to containers. As a result, containers with ports published to localhost (e.g., 127.0.0.1:8080) become accessible from remote machines that can route to the Docker bridge, even though they should only be accessible from the host itself. Unpublished ports remain protected. This issue is fixed in version 28.3.3.
How can this vulnerability impact me? :
The vulnerability can expose containers that are intended to be accessible only from the local host to remote network access. This could allow unauthorized remote users to connect to services running inside containers on ports that were only published to localhost, potentially leading to unauthorized access, data exposure, or exploitation of containerized applications.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Moby to version 28.3.3 or later, where the issue is fixed. Until then, avoid reloading the firewalld service or manually verify and restore iptables rules that block external access to published container ports after a firewalld reload.