fix: [CI-21415]: remediate CVE-2025-15558 - upgrade docker base to 29.2.0-dind and buildx to v0.32.0#93
Open
vinayakharness2026 wants to merge 1 commit intodrone-plugins:masterfrom
Conversation
Upgrade base image from docker:28.1.1-dind to docker:29.2.0-dind and bundled buildx binary from v0.23.0 to v0.32.0 to resolve CVE-2025-15558 (github.com/docker/cli privilege escalation on Windows, fixed in docker/cli v29.2.0). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability Remediation: plugins/buildx
Ticket: CI-21415
Test image scanned:
vinayakharness/buildx-test:buildx-1.3.16--debugBaseline scan (original image): View execution
After scan (test image): View execution
Vulnerability Delta
Per-Ticket CVE Status
CI-21415 — High: github.com/docker/cli CVE in plugins/buildx:1.3.15
Summary: CVE-2025-15558 was present in two locations in the original image — the bundled
docker/buildxbinary (v0.23.0, shipping docker/cli v28.0.4) and the base image's docker CLI and docker-compose binaries (docker:28.1.1-dind, shipping docker/cli v28.1.1). Both are below the required fix version of v29.2.0. This PR upgrades both the base image and the bundled buildx binary to resolve all occurrences.Note on CVE scope: CVE-2025-15558 is a Windows-only privilege escalation issue (uncontrolled plugin search path at
C:\ProgramData\Docker\cli-plugins). It does not affect Linux containers. The fix is applied here to clear the scanner finding and stay current with upstream.Code changes for this ticket:
docker/docker/Dockerfile.linux.amd64:FROM docker:28.1.1-dind->FROM docker:29.2.0-dindBUILDX_URL->v0.32.0(wasv0.23.0)docker/docker/Dockerfile.linux.arm64:FROM arm64v8/docker:28.1.1-dind->FROM arm64v8/docker:29.2.0-dindBUILDX_URL->v0.32.0(wasv0.23.0)Changes Made
docker/docker/Dockerfile.linux.amd64docker:28.1.1-dind->docker:29.2.0-dind; buildx binary:v0.23.0->v0.32.0docker/docker/Dockerfile.linux.arm64arm64v8/docker:28.1.1-dind->arm64v8/docker:29.2.0-dind; buildx binary:v0.23.0->v0.32.0Version selection rationale:
docker:29.2.0-dindis the minimum base image version that ships docker/cli >= v29.2.0. It is the smallest bump that satisfies the fix requirement.docker/buildx v0.32.0is the minimum buildx release that ships docker/cli >= v29.2.0 (it ships v29.2.1). Every release from v0.24.0 through v0.31.1 shipped docker/cli versions in the 28.x range.Warning
Major version upgrade included — sanity testing required
The base image was upgraded across a major version boundary:
docker:28.1.1-dind->docker:29.2.0-dind(major: 28 -> 29)arm64v8/docker:28.1.1-dind->arm64v8/docker:29.2.0-dind(major: 28 -> 29)Before merging, please: