CVE-2025-54388: Docker Containers Exposed After Firewalld Reload

A critical vulnerability has been identified in Moby (Docker Engine) that can expose container ports to external access after a firewalld reload. This post breaks down the issue, its impact, and how to mitigate the risk.

🔍 TL;DR Summary

Docker versions 28.2.0 through 28.3.2 fail to properly recreate iptables rules after a firewalld reload, potentially exposing container ports published to localhost (e.g., 127.0.0.1:8080) to remote machines. Upgrade to version 28.3.3 or later to resolve this issue.

🚨 Vulnerability Details

• CVE ID: CVE-2025-54388
• Description: When the firewalld service is reloaded, it removes all iptables rules, including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block external access to containers. This leads to containers with ports published to localhost becoming accessible from remote machines.
• CVSS Score and Vector:
  • CVSS 4.0: 5.1 (Medium)
  • Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Explanation: This vulnerability is rated as 'Medium' because an attacker on the adjacent network can potentially access exposed services with minimal effort. User interaction is required (passive). The confidentiality and integrity impacts are low, while availability is not affected.
• Exploit Requirements: An attacker needs network access to the Docker bridge and knowledge of exposed ports.
• Affected Vendor, Product, Version: Moby (Docker Engine), versions 28.2.0 through 28.3.2.
• CWE:
  • CWE-909: Improperly Neutralizing Special Elements in a Path Expression
  • Explanation: This vulnerability stems from an improper configuration or lack of proper management of iptables rules after an external event (firewalld reload).

📅 Timeline of Events

• 2025-07-30: CVE-2025-54388 Published.
• 2025-07-31: Analysis and blog post creation.

🧠 Exploitability & Real-World Risk

This vulnerability poses a real risk in environments where firewalld is frequently reloaded, such as automated configuration management systems or during routine server maintenance. An attacker gaining access to the network could potentially exploit services running in containers that were intended to be accessible only from the host machine. This could lead to data breaches, unauthorized access, or other malicious activities.

🛠️ Recommendations

• Upgrade: Upgrade to Moby (Docker Engine) version 28.3.3 or later.
• Workaround: Manually recreate the iptables rules after a firewalld reload if upgrading is not immediately possible.
• Best Practices: Review your container port publishing configurations and ensure that sensitive services are not exposed unnecessarily. Consider using more robust network segmentation techniques.

🧪 Technical Insight

Docker relies on iptables rules to manage network traffic to and from containers. When a port is published to localhost, Docker creates rules to restrict access from external networks. The vulnerability lies in the failure to automatically recreate these specific rules after firewalld resets the iptables configuration during a reload. Essentially, Docker forgets to re-establish the intended network isolation.

🙌 Credit to Researcher(s)

This vulnerability was reported via GitHub Security Advisory.

🔗 References

• Docker Commit: bea959c7b793b32a893820b97c4eadc7c87fabb0
• Docker Pull Request: 50506
• GitHub Security Advisory: GHSA-x4rx-4gw3-53p4

🧵 Tags

CVE-2025-54388, Docker, Firewalld, Container Security, iptables

Summary: Docker versions 28.2.0 through 28.3.2 fail to properly recreate iptables rules after a firewalld reload, potentially exposing container ports published to localhost to remote machines. Upgrade to version 28.3.3 or later to resolve this issue.

CVE ID: CVE-2025-54388

Risk Analysis: Successful exploitation could lead to unauthorized access to services running in containers, potentially resulting in data breaches, system compromise, or other malicious activities.

Recommendation: Upgrade to Moby (Docker Engine) version 28.3.3 or later. Manually recreate iptables rules after a firewalld reload if upgrading is not immediately possible. Review container port publishing configurations and network segmentation.

Timeline

• 2025-07-30: CVE-2025-54388 Published

References

• https://github.com/moby/moby/commit/bea959c7b793b32a893820b97c4eadc7c87fabb0
• https://github.com/moby/moby/pull/50506
• https://github.com/moby/moby/security/advisories/GHSA-x4rx-4gw3-53p4