CVE-2025-54388: 
cAdvisor vulnerability analysis and mitigation

Moby, an open source container framework developed by Docker Inc. and distributed as Docker Engine and Mirantis Container Runtime, has been found to contain a vulnerability (CVE-2025-54388) affecting versions 28.2.0 through 28.3.2. The vulnerability was discovered on July 29, 2025, and involves a firewall state management issue where container ports become accessible from remote machines after a firewalld reload, even when they should be restricted to localhost access (GitHub Advisory).

When the firewalld service is reloaded, it removes all iptables rules, including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block external access to containers. The vulnerability has been assigned a CVSS v4.0 base score of 5.1 (Medium) with the vector string CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The issue is specifically related to the reapplyPerPortIptables function in the bridge network driver (GitHub Commit).

After a firewalld reload, containers with ports published to localhost (like 127.0.0.1:8080) become accessible from remote machines that have network routing to the Docker bridge, even though they should only be accessible from the host itself. For example, if a Docker host has address 192.168.0.10 and a bridge network with subnet 172.17.0.0/16, a remote host in the local network can gain access to published ports by adding a route to the container network. The vulnerability only affects explicitly published ports, while unpublished ports remain protected (GitHub Advisory).

The issue has been fixed in version 28.3.3. For affected versions, several workarounds are available: restart the docker daemon after reloading firewalld, re-create bridge networks, or use rootless mode. Notably, Moby releases older than 28.2.0 are not affected by this vulnerability (GitHub Advisory).