CVE-2025-54410
LOW3.3EPSS 0.02%Moby firewalld reload removes bridge network isolation
Description
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referred to as Docker, or Docker Engine. Firewalld is a daemon used by some Linux distributions to provide a dynamically managed firewall. When Firewalld is running, Docker uses its iptables backend to create rules, including rules to isolate containers in one bridge network from containers in other bridge networks. ### Impact The iptables rules created by Docker are removed when firewalld is reloaded using, for example "firewall-cmd --reload", "killall -HUP firewalld", or "systemctl reload firewalld". When that happens, Docker must re-create the rules. However, in affected versions of Docker, the iptables rules that isolate containers in different bridge networks from each other are not re-created. Once these rules have been removed, containers have access to any port, on any container, in any non-internal bridge network, running on the Docker host. Containers running in networks created with `--internal` or equivalent have no access to other networks. Containers that are only connected to these networks remain isolated after a firewalld reload. Where Docker Engine is not running in the host's network namespace, it is unaffected. Including, for example, Rootless Mode, and Docker Desktop. ### Patches Moby releases 28.0.0 and newer are not affected. A fix is available in moby release 25.0.13. ### Workarounds After reloading firewalld, either: - Restart the docker daemon, - Re-create bridge networks, or - Use rootless mode. ### References https://firewalld.org/ https://firewalld.org/documentation/howto/reload-firewalld.html
Affected packages (3)
- Debian/docker.iofrom 0
- Go/github.com/docker/dockerfrom 0, < 25.0.13
- Go/github.com/docker/dockerfrom 0, < 25.0.13+incompatible
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.3 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54410
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-54410
- PATCHhttps://github.com/moby/moby
- WEBhttps://firewalld.org/documentation/howto/reload-firewalld.html
- WEBhttps://github.com/moby/moby/pull/49443
- WEBhttps://github.com/moby/moby/pull/49728
- WEBhttps://github.com/moby/moby/security/advisories/GHSA-4vq8-7jfc-9cvp