CVE-2025-6587

EPSS 0.1%
Veröffentlicht 03.07.2025 10:15:37
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security@docker.com
CVE-Watchlists
Login
Unerledigt
Login

Exposure of system environment variables in Docker Desktop diagnostic logs

System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc. 
A malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerDocker

≫

Produkt Docker Desktop

Default Statusunaffected

Version 0

Version < 4.43.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.278

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@docker.com	5.2	0	0	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs

https://nvd.nist.gov/vuln/detail/CVE-2025-6587

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-6587

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-6587

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-6587