Security: Update Docker SDK and Go Version to remediate CVE-2025-54410, CVE-2025-58183 & CVE-2025-47914
Summary
Container security scans have identified multiple High and Medium severity vulnerabilities in the docker-machine binary. These stem from outdated dependencies (github.com/docker/docker, golang.org/x/crypto) and an older Go toolchain used for compilation.
Vulnerability Details
| CVE ID | Severity | Component | Issue | Fix Version |
|---|---|---|---|---|
| CVE-2025-54410 | Low/Medium | github.com/docker/docker |
Firewalld reload can wipe iptables rules, breaking network segmentation. | v28.0.0+ |
| CVE-2025-58183 | High |
stdlib (archive/tar) |
tar.Reader OOM Denial of Service via sparse files. |
Recompile with Go 1.25.3+ |
| CVE-2025-47914 | Medium | golang.org/x/crypto |
SSH Agent panic on malformed message size. | v0.45.0+ |
| CVE-2025-58181 | Medium | golang.org/x/crypto |
SSH GSSAPI memory exhaustion. | v0.45.0+ |
Proposal
1. Update Dependencies
Update go.mod to require the patched versions:
-
github.com/docker/docker=>v28.0.0 -
golang.org/x/crypto=>v0.45.0
2. Update Go Toolchain
Bump the Go version in .gitlab-ci.yml / Makefile to the latest secure release (Go 1.25.3 or later) to resolve the standard library CVEs.
Technical Note: Breaking Changes in Docker SDK v28
Upgrading github.com/docker/docker to v28.0.0 will break compilation in libmachine/mcndockerclient/docker_client.go because the api/types package has been split.
Required Code Changes:
The types.ImagePullOptions and types.ContainerStartOptions structs have moved.
-
Remove Import:
github.com/docker/docker/api/types -
Add Imports:
github.com/docker/docker/api/types/containergithub.com/docker/docker/api/types/image
-
Update References:
- Change
types.ImagePullOptions->image.PullOptions - Change
types.ContainerStartOptions->container.StartOptions
- Change
Priority
While we understand this repository is in maintenance mode, these vulnerabilities affect the security posture of the GitLab Runners utilizing the Docker Machine executor.