VYPR
← All advisories
Low severityNVD Advisory· Published Jul 30, 2025· Updated Jul 30, 2025

Moby's Firewalld reload removes bridge network isolation

CVE-2025-54410

Description

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, allowing any container to access all ports on any other container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments. Only containers in --internal networks remain protected. Workarounds include reloading firewalld and either restarting the docker daemon, re-creating bridge networks, or using rootless mode. Maintainers anticipate a fix for this issue in version 25.0.13.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Moby (Docker Engine) before 28.0.0, a firewalld reload removes iptables rules that isolate bridge networks, allowing cross-network container access.

Vulnerability

Overview

The vulnerability resides in the Moby (Docker Engine) daemon's interaction with firewalld [1][4]. When firewalld is reloaded (e.g., via firewall-cmd --reload), the iptables rules that Docker creates to isolate containers in different bridge networks are removed, but Moby fails to re-create them [4]. This affects all Moby releases before 28.0.0, including Docker Engine, Mirantis Container Runtime, and downstream projects [1]. The root cause is that the callback mechanism for restoring per-network iptables rules on firewalld reload did not exist, so rules for deleted networks could also reappear [3].

Exploitation

Conditions

An attacker does not need special privileges beyond being able to run a container on the same Docker host. The attack surface is exposed when an administrator or system process triggers a firewalld reload (e.g., via firewall-cmd --reload, systemctl reload firewalld, or SIGHUP) [4]. After the reload, segmentation between non-internal bridge networks collapses. Only containers in networks created with --internal remain protected [1][4]. No authentication or network position beyond having a container on the host is required.

Impact

Once the isolation rules are lost, any container can reach all ports on any other container across different bridge networks on the same host [1][4]. This breaks network segmentation, enabling lateral movement in multi-tenant environments where containers should be isolated. An attacker can probe for services, exploit exposed ports, and compromise other tenants' containers.

Mitigation

Moby version 28.0.0 and newer are not affected. A fix is also released in version 25.0.13 [1][4]. Workarounds include restarting the Docker daemon, re-creating bridge networks, or using rootless mode after a firewalld reload [1][4]. The official fix, merged as PR #49728, ensures that on firewalld reload, only current networks restore their iptables rules, preventing re-creation of rules for deleted networks [3].

References
  1. NVD - CVE-2025-54410
  2. Stop firewalld reload re-creating rules for deleted networks by robmry · Pull Request #49728 · moby/moby
  3. Firewalld reload removes bridge network isolation

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/docker/dockerGo
< 25.0.1325.0.13
github.com/docker/dockerGo
>= 26.0.0-rc1, < 28.0.028.0.0

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.