CVE-2026-33747

BuildKit vulnerable to malicious frontend causing file escape outside of storage root

CVSS 8.4 HIGHEPSS 0.5%CWE-22

In short

BuildKit allows malicious custom frontends to write files outside their intended storage directory, potentially compromising the system. This happens when untrusted frontends are used with specific BuildKit options.

Technical detail

A path traversal vulnerability (CWE-22) in BuildKit's frontend processing allows an attacker controlling a custom frontend image to craft API messages that escape the execution context's state directory. The attack requires the victim to use an untrusted frontend via `#syntax` directive or `--build-arg BUILDKIT_SYNTAX`; standard frontends like `docker/dockerfile` are not vulnerable. Successful exploitation enables arbitrary file write outside the storage root, potentially leading to privilege escalation or system compromise.

Summary generated and translated by AI from the official description.

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

moby · buildkit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/moby/buildkit/releases/tag/v0.28.1 https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj