CVE-2024-23652

Name: CVE-2024-23652
Creator: NVD / NIST
Published: 2024-01-31T22:15:54.377+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.1/10EPSS 2.04%

Last modified Jun 17, 2026

CVE-2024-23652 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. EPSS estimates a 2.04% chance of exploitation in the next 30 days.

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.

Metrics

CVSS 3.1

9.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Probability

2.04%

78.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-22

Affected Software

Vendor	Product	Versions
Mobyproject	Buildkit	< 0.12.5

References

https://github.com/moby/buildkit/pull/4603Patch, Vendor Advisory
https://github.com/moby/buildkit/releases/tag/v0.12.5Patch, Release Notes
https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8Vendor Advisory
https://github.com/moby/buildkit/pull/4603Patch, Vendor Advisory
https://github.com/moby/buildkit/releases/tag/v0.12.5Patch, Release Notes
https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8Vendor Advisory

Timeline

Published: Jan 31, 2024
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2024-23652?

How severe is CVE-2024-23652?

CVE-2024-23652 has a CVSS score of 9.1/10 (CRITICAL severity). The EPSS model estimates a 2.04% probability of exploitation in the next 30 days.

How do I fix CVE-2024-23652?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-23652?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST