CVE-2025-54410: Docker Container Isolation Vulnerability After firewalld Reload

CVE-2025-54410: Docker Container Isolation Bypass After firewalld Reload

A critical vulnerability has been discovered in Docker (Moby) that can lead to container isolation bypass following a firewalld reload. This issue, identified as CVE-2025-54410, could allow unauthorized access between containers on the same host, posing a significant risk in multi-tenant environments.

Vulnerability Details

• CVE ID: CVE-2025-54410
• Description: After firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, allowing any container to access all ports on any other container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments.
• CVSS Score: 3.3 (LOW)
• CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
• CVSS Explanation: This vulnerability has a low CVSS score because it requires local access, high attack complexity, user interaction, and only results in limited confidentiality and integrity impact with no availability impact. A local attacker needs to trick a user to trigger firewalld reload.
• Affected Vendor: Docker (Moby)
• Affected Product: Docker Engine, Mirantis Container Runtime
• Affected Versions: Moby releases before 28.0.0
• CWE: CWE-909 - Improperly Ordered Operations
• CWE Explanation: The issue arises from the incorrect sequence of operations when firewalld reloads, leading to Docker not properly re-establishing iptables rules for container isolation.

Timeline of Events

• 2025-07-30: CVE-2025-54410 Published
• Anticipated: Fix expected in Moby version 25.0.13

Exploitability & Real-World Risk

While the CVSS score is low, the real-world risk can be higher, especially in multi-tenant environments. An attacker who gains local access to a container and can trigger a firewalld reload could potentially compromise other containers on the same host. This could lead to data breaches, service disruption, or further lateral movement within the environment.

Recommendations

• Upgrade: Upgrade to Moby version 25.0.13 or later when available.
• Workaround: Reload firewalld and either restart the docker daemon, re-create bridge networks, or use rootless mode.
• Monitoring: Monitor firewalld reload events and Docker container network configurations.
• Network Policies: Implement robust network policies to further isolate containers.

Technical Insight

The vulnerability stems from the interaction between Docker's network management and firewalld. When firewalld reloads, it can disrupt Docker's iptables rules, which are crucial for isolating containers on different bridge networks. If Docker doesn't properly re-establish these rules, containers can bypass network segmentation.

Credit to Researcher(s)

This vulnerability was reported via GitHub Security Advisory.

References

• GitHub Security Advisory
• firewalld Documentation on Reloading

Tags

#Docker #firewalld #CVE-2025-54410 #containersecurity #vulnerability #networksegmentation

Summary: A vulnerability in Docker (Moby) allows containers to bypass network isolation after firewalld reloads. This can lead to unauthorized access between containers on the same host, especially in multi-tenant environments. Upgrade or use workarounds to mitigate the risk.

CVE ID: CVE-2025-54410

Risk Analysis: Successful exploitation can lead to unauthorized access to other containers, data breaches, or service disruption, especially in multi-tenant environments.

Recommendation: Upgrade to Moby version 25.0.13 or later. Alternatively, reload firewalld and restart the docker daemon, re-create bridge networks, or use rootless mode.

Timeline

• 2025-07-30: CVE-2025-54410 Published

References

• https://firewalld.org/documentation/howto/reload-firewalld.html
• https://github.com/moby/moby/security/advisories/GHSA-4vq8-7jfc-9cvp