- Description
- System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc. A malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection.
- Source
- security@docker.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 5.2
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
- security@docker.com
- CWE-532
- Hype score
- Not currently trending
#CVE20256587 CVE-2025-6587 - Docker Desktop Environment Variable Disclosure Vulnerability: CVE ID : CVE-2025-6587 Published : July 3, 2025, 10:15 a.m. | 34 minutes ago Description : System environment variables are recorded in Docker Desktop… https://t.co/8Fx13Z7oPK
@ZeroDayCVE
3 Jul 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-6587 System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive infor… https://t.co/m7jNNVwauz
@CVEnew
3 Jul 2025
335 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes