VYPR
High severityNVD Advisory· Published Jan 31, 2024· Updated May 29, 2025

BuildKit possible race condition with accessing subpaths from cache mounts

CVE-2024-23651

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/moby/buildkitGo
< 0.12.50.12.5

Affected products

137

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.