CVE-2025-54388

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-54388
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54388.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-54388
Aliases
Downstream
Related
Published
2025-07-30T14:15:28Z
Modified
2025-08-11T17:56:57.350510Z
Summary
[none]
Details

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables rules including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block external access to containers. This means that after a firewalld reload, containers with ports published to localhost (like 127.0.0.1:8080) become accessible from remote machines that have network routing to the Docker bridge, even though they should only be accessible from the host itself. The vulnerability only affects explicitly published ports - unpublished ports remain protected. This issue is fixed in version 28.3.3.

References

Affected packages

Debian:11 / docker.io

Package

Name
docker.io
Purl
pkg:deb/debian/docker.io?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.10.5+dfsg1-1
20.10.5+dfsg1-1+deb11u1
20.10.5+dfsg1-1+deb11u2
20.10.5+dfsg1-1+deb11u3
20.10.5+dfsg1-1+deb11u4
20.10.8+dfsg1-1
20.10.8+dfsg1-2
20.10.10+dfsg1-1
20.10.11+dfsg1-1
20.10.11+dfsg1-2
20.10.14+dfsg1-1
20.10.17+dfsg1-1
20.10.19+dfsg1-1
20.10.21+dfsg1-1
20.10.22+dfsg1-1
20.10.22+dfsg1-2
20.10.23+dfsg1-1
20.10.24+dfsg1-1
20.10.25+dfsg1-1
20.10.25+dfsg1-2
20.10.25+dfsg1-3
20.10.25+dfsg1-4

26.*

26.1.4+dfsg1-1
26.1.4+dfsg1-2
26.1.4+dfsg1-3
26.1.4+dfsg1-4
26.1.4+dfsg1-5
26.1.4+dfsg1-6
26.1.4+dfsg1-7
26.1.4+dfsg1-8
26.1.4+dfsg1-9
26.1.4+dfsg2-1
26.1.4+dfsg3-1
26.1.5+dfsg1-1
26.1.5+dfsg1-2
26.1.5+dfsg1-3
26.1.5+dfsg1-4
26.1.5+dfsg1-5
26.1.5+dfsg1-6
26.1.5+dfsg1-7
26.1.5+dfsg1-8
26.1.5+dfsg1-9

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / docker.io

Package

Name
docker.io
Purl
pkg:deb/debian/docker.io?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.10.24+dfsg1-1
20.10.24+dfsg1-1+deb12u1
20.10.25+dfsg1-1
20.10.25+dfsg1-2
20.10.25+dfsg1-3
20.10.25+dfsg1-4

26.*

26.1.4+dfsg1-1
26.1.4+dfsg1-2
26.1.4+dfsg1-3
26.1.4+dfsg1-4
26.1.4+dfsg1-5
26.1.4+dfsg1-6
26.1.4+dfsg1-7
26.1.4+dfsg1-8
26.1.4+dfsg1-9
26.1.4+dfsg2-1
26.1.4+dfsg3-1
26.1.5+dfsg1-1
26.1.5+dfsg1-2
26.1.5+dfsg1-3
26.1.5+dfsg1-4
26.1.5+dfsg1-5
26.1.5+dfsg1-6
26.1.5+dfsg1-7
26.1.5+dfsg1-8
26.1.5+dfsg1-9

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / docker.io

Package

Name
docker.io
Purl
pkg:deb/debian/docker.io?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

26.*

26.1.5+dfsg1-9

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/moby/moby

Affected ranges

Type
GIT
Repo
https://github.com/moby/moby
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bea959c7b793b32a893820b97c4eadc7c87fabb0

Affected versions

0.*

0.0.3

Other

autorun/1

docs-v1.*

docs-v1.12.0-rc4-2016-07-15

upstream/0.*

upstream/0.1.1
upstream/0.1.2
upstream/0.1.3
upstream/0.1.4

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.11.0
v0.11.1
v0.12.0
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.7.0
v0.7.0-rc5
v0.7.0-rc6
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.8.0
v0.8.1
v0.9.0

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1

v17.*

v17.12.0-ce-rc1

v18.*

v18.04.0-ce-rc1
v18.06.0-ce-rc1
v18.09.0-ce-tp0

v19.*

v19.03.0-beta1
v19.03.0-beta2
v19.03.0-beta3

v20.*

v20.10.0
v20.10.0-beta1
v20.10.0-rc1
v20.10.0-rc2
v20.10.1
v20.10.2

v22.*

v22.06.0-beta.0

v24.*

v24.0.0-beta.1
v24.0.0-beta.2
v24.0.0-rc.1
v24.0.0-rc.2

v25.*

v25.0.0
v25.0.0-beta.1
v25.0.0-beta.2
v25.0.0-beta.3
v25.0.0-rc.1
v25.0.0-rc.2
v25.0.0-rc.3

v26.*

v26.0.0
v26.0.0-rc1
v26.0.0-rc2
v26.0.0-rc3
v26.1.0

v27.*

v27.0.0-rc.1
v27.0.0-rc.2
v27.0.1
v27.0.1-rc.1

v28.*

v28.0.0
v28.0.0-rc.1
v28.0.0-rc.2
v28.0.0-rc.3
v28.0.1
v28.0.2
v28.0.3
v28.0.4
v28.1.0
v28.1.0-rc.1
v28.1.0-rc.2
v28.1.1
v28.2.0
v28.2.0-rc.1
v28.2.0-rc.2
v28.2.1
v28.2.2
v28.3.0
v28.3.0-rc.1
v28.3.0-rc.2
v28.3.1
v28.3.2