x/vulndb: potential Go vuln in github.com/docker/buildx: CVE-2025-0495

[GoVulnBot]

Advisory CVE-2025-0495 references a vulnerability in the following Go modules:

Module
github.com/docker/buildx

Description:
Buildx is a Docker CLI plugin that extends build capabilities using BuildKit.

Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records.

This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-0495
• WEB: https://github.com/docker/buildx

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/docker/buildx
      vulnerable_at: 0.21.3
summary: CVE-2025-0495 in github.com/docker/buildx
cves:
    - CVE-2025-0495
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-0495
    - web: https://github.com/docker/buildx
source:
    id: CVE-2025-0495
    created: 2025-03-17T21:01:17.94252173Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/658855 mentions this issue: data/reports: add 4 reports