CVE-2025-54410: 
Docker vulnerability analysis and mitigation

Moby, an open source container framework developed by Docker Inc. and distributed as Docker Engine and Mirantis Container Runtime, is affected by a firewalld vulnerability in releases before 28.0.0. The vulnerability was discovered on July 29, 2025, and assigned CVE-2025-54410. When firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, which affects the network segmentation between containers (GitHub Advisory).

The vulnerability occurs when firewalld is reloaded using commands like 'firewall-cmd --reload', 'killall -HUP firewalld', or 'systemctl reload firewalld'. During the reload, Docker's iptables rules are removed, and in affected versions, the rules that isolate containers in different bridge networks are not re-created. The vulnerability has been assigned a CVSS v3.1 score of 3.3 (Low) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N, indicating local access requirements and high attack complexity (GitHub Advisory, NVD).

Once the iptables rules are removed, containers gain access to any port on any container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments. However, containers running in networks created with --internal remain protected, and Docker Engine instances not running in the host's network namespace (including Rootless Mode and Docker Desktop) are unaffected (GitHub Advisory).

Several workarounds are available: after reloading firewalld, users can either restart the docker daemon, re-create bridge networks, or use rootless mode. A permanent fix is available in Moby release 25.0.13, and all versions 28.0.0 and newer are not affected by this vulnerability (GitHub Advisory).