Moby/Docker Firewall Bypass Vulnerability (CVE-2025-54410) Affects Bridge Networks
securityvulnerabilitydevopsopen-sourcedockermoby
trending_upTrend: security

Moby/Docker Firewall Bypass Vulnerability (CVE-2025-54410) Affects Bridge Networks

calendar_month June 1, 2026

Summary

A critical security vulnerability in Moby (the open-source engine behind Docker) before version 28.0.0 has been identified. Tracked as CVE-2025-54410, this flaw causes network isolation between containers in bridge networks to be lost whenever the firewalld service on the host is reloaded.

What happened?

In environments where Moby is used alongside firewalld, the engine relies on specific iptables rules to control and isolate traffic between containers. It was discovered that reloading firewalld (e.g., due to configuration changes or system updates) causes these isolation rules set by Moby to be deleted. Moby does not automatically restore these rules after the reload occurs.

Why it matters

Network isolation is a cornerstone of container security. Without this isolation, containers within the same bridge network can gain unrestricted access to all ports of other containers on the same host. In multi-tenant environments or when running applications with different security levels, this represents a significant risk for cross-container attacks and data theft.

Evidence

The vulnerability is officially registered as CVE-2025-54410. A GitHub issue in the Moby repository (#51731) provides detailed documentation of the behavior. Security databases such as NMMapper and the Debian Package Tracker confirm that Docker versions prior to 28.0.0 are affected.

Analysis

The issue stems from a lack of synchronization between Moby’s network manager and the dynamic state of firewalld. While firewalld rewrites its own rules during a reload, Moby does not detect this process and fails to re-insert its critical isolation rules into the iptables chains. This leaves the system in an insecure state without the administrator necessarily receiving an error message.

Practical Takeaways

  • Mandatory Update: Administrators should immediately upgrade Docker/Moby to version 28.0.0 or higher, as this version includes fixes for rule management.
  • Configuration Audit: Check if firewalld is active on your Docker hosts and how frequently reloads are performed.
  • Workaround: If an update is not immediately possible, the Docker service should be restarted after every firewalld reload to restore the rules (systemctl restart docker).

Open Questions

It remains to be seen how quickly downstream distributions (such as Debian, RHEL, Ubuntu) will update their stable packages. Furthermore, it is unclear whether similar issues might occur when using nftables directly without the firewalld abstraction layer.

Sources

  1. CVE-2025-54410 - Moby’s Firewalld reload removes bridge isolation
  2. docker.io - Debian Package Tracker
  3. Moby GitHub Issue #51731
  4. Tenable Nessus Plugin 243284