CVE-2025-54410: Moby's Firewalld reload removes bridge network isolation
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, allowing any container to access all ports on any other container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments. Only containers in --internal networks remain protected. Workarounds include reloading firewalld and either restarting the docker daemon, re-creating bridge networks, or using rootless mode. Maintainers anticipate a fix for this issue in version 25.0.13.
Other sources
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as moby/moby is commonly referred to as Docker, or Docker Engine.
Firewalld is a daemon used by some Linux distributions to provide a dynamically managed firewall. When Firewalld is running, Docker uses its iptables backend to create rules, including rules to isolate containers in one bridge network from containers in other bridge networks.
Impact
The iptables rules created by Docker are removed when firewalld is reloaded using, for example "firewall-cmd --reload", "killall -HUP firewalld", or "systemctl reload firewalld".
When that happens, Docker must re-create the rules. However, in affected versions of Docker, the iptables rules that isolate containers in different bridge networks from each other are not re-created.
Once these rules have been removed, containers have access to any port, on any container, in any non-internal bridge network, running on the Docker host.
Containers running in networks created with --internal or equivalent have no access to other networks. Containers that are only connected to these networks remain isolated after a firewalld reload.
Where Docker Engine is not running in the host's network namespace, it is unaffected. Including, for example, Rootless Mode, and Docker Desktop.
Patches
Moby releases 28.0.0 and newer are not affected. A fix is available in moby release 25.0.13.
Workarounds After reloading firewalld, either: - Restart the docker daemon, - Re-create bridge networks, or - Use rootless mode.
References https://firewalld.org/ https://firewalld.org/documentation/howto/reload-firewalld.html
— GitHub
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2025-54410?
CVE-2025-54410 is rated as a medium severity vulnerability.
How do I fix CVE-2025-54410?
To fix CVE-2025-54410, update the affected Docker components to version 25.0.13 or later.
What are the potential impacts of CVE-2025-54410?
CVE-2025-54410 could allow unauthorized access to critical container management functionalities.
Which versions are affected by CVE-2025-54410?
CVE-2025-54410 affects Docker versions up to and including 25.0.12.
Is there a workaround for CVE-2025-54410?
There is currently no recommended workaround for CVE-2025-54410 other than applying the software update.