CVE-2024-23651 is a high-severity race condition vulnerability (CWE-362) in the moby project’s BuildKit component, a widely used toolkit for building container images efficiently and reproducibly. The vulnerability arises when two malicious build steps execute concurrently and share the same cache mounts with subpaths. Due to improper synchronization in handling these shared resources, a race condition can occur, allowing one build step to access files from the host system that should be isolated within the build container environment. This breaks container isolation principles and can lead to unauthorized disclosure of sensitive host files. The vulnerability affects BuildKit versions prior to 0.12.5 and does not require authentication or user interaction for exploitation, but does require the attacker to control or influence the build steps and cache mount configurations. The CVSS v3.1 score is 8.7 (high), reflecting the network attack vector, high impact on confidentiality and integrity, no availability impact, and the complexity being high due to the need for specific build configurations. The issue was fixed in BuildKit version 0.12.5. Workarounds include avoiding the use of BuildKit frontends from untrusted sources and not building untrusted Dockerfiles that use cache mounts with the --mount=type=cache,source=... option. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk especially to enterprises relying heavily on containerized build pipelines and CI/CD workflows using BuildKit. If exploited, attackers could gain unauthorized access to sensitive host files during the build process, potentially leaking credentials, proprietary code, or configuration files. This can lead to intellectual property theft, compliance violations (e.g., GDPR if personal data is exposed), and lateral movement within the network if attackers leverage leaked secrets. The integrity of build artifacts could also be compromised, undermining trust in software supply chains. Organizations with multi-tenant build environments or those that accept external Dockerfiles or build steps are particularly vulnerable. The high CVSS score and the scope of impact on confidentiality and integrity make this a critical concern for software development and DevOps teams in Europe.

1. Upgrade BuildKit to version 0.12.5 or later immediately to apply the official fix. 2. Implement strict controls on build inputs: only use trusted BuildKit frontends and avoid building Dockerfiles from untrusted or external sources, especially those that use cache mounts with --mount=type=cache,source=... options. 3. Enforce isolation policies in CI/CD pipelines to prevent concurrent builds from sharing cache mounts or other resources that could lead to race conditions. 4. Audit and monitor build logs and file system accesses during builds to detect anomalous behavior indicative of exploitation attempts. 5. Use container security tools to scan build environments for misconfigurations and enforce least privilege principles on build agents. 6. Educate developers and DevOps teams about the risks of race conditions in build processes and the importance of secure build configurations. 7. Consider implementing ephemeral build environments that are destroyed after each build to limit the persistence of any unauthorized access.