#1110408 docker.io: CVE-2025-54410

Package:
src:docker.io
Source:
src:docker.io
Submitter:
Salvatore Bonaccorso
Date:
2025-08-04 19:55:02 UTC
Severity:
normal
Tags:
#1110408#5
Date:
2025-08-04 19:53:05 UTC
From:
To:
Hi,

The following vulnerability was published for docker.io.

CVE-2025-54410[0]:
| Moby is an open source container framework developed by Docker Inc.
| that is distributed as Docker Engine, Mirantis Container Runtime,
| and various other downstream projects/products. A firewalld
| vulnerability affects Moby releases before 28.0.0. When firewalld
| reloads, Docker fails to re-create iptables rules that isolate
| bridge networks, allowing any container to access all ports on any
| other container across different bridge networks on the same host.
| This breaks network segmentation between containers that should be
| isolated, creating significant risk in multi-tenant environments.
| Only containers in --internal networks remain protected. Workarounds
| include reloading firewalld and either restarting the docker daemon,
| re-creating bridge networks, or using rootless mode. Maintainers
| anticipate a fix for this issue in version 25.0.13.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-54410
https://www.cve.org/CVERecord?id=CVE-2025-54410
[1] https://github.com/moby/moby/security/advisories/GHSA-4vq8-7jfc-9cvp

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore