Sensitive Information Disclosure in Docker Desktop by Docker, Inc.
CVE-2025-6587

5.2MEDIUM

Key Information:

Vendor: Docker
Status: Docker Desktop
Vendor: CVE Published:; 3 July 2025

What is CVE-2025-6587?

In Docker Desktop, system environment variables can inadvertently be included in diagnostic logs when users employ shell auto-completion features. This can lead to the unintentional exposure of sensitive information, including API keys and passwords. If a malicious actor gains read access to these logs, they may exploit this data to obtain unauthorized access to other systems. Docker has addressed this issue by ensuring that starting with version 4.43.0, system environment variables are no longer logged in the diagnostics collection process.

Affected Version(s)

Docker Desktop MacOS 0 < 4.43.0

References

https://docs.docker.com/desktop/troubleshoot-and-support/...

CVSS V4

Score:

5.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2025
Vulnerability Reserved
Jun 24, 2025