Docker Buildx OpenTelemetry Trace Vulnerability Exposing Secrets

Vulnerability

A vulnerability exists in Docker Buildx, a CLI plugin that enhances Docker's build capabilities, by allowing sensitive information to be unintentionally recorded in OpenTelemetry traces. This issue arises when cache backend support credentials are provided as secrets in the cache-to/cache-from configuration, which can then be captured along with the CLI command arguments and flags in the OpenTelemetry traces. These traces are also stored in the BuildKit daemon's history records. Notably, this vulnerability does not affect secrets sent to the GitHub cache backend via environment variables or registry authentication.

Impact

The vulnerability could lead to the exposure of sensitive information, as secure values can be captured in OpenTelemetry traces and saved in the BuildKit daemon's history records.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Docker Buildx OpenTelemetry Trace Vulnerability Exposing Secrets

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating