Moby BuildKit v0.28.1 Patches Critical Directory Traversal Vulnerability (CVE-2026-33747)

A critical security flaw in the Moby BuildKit toolchain has been patched, exposing container build pipelines to potential file system compromise. The vulnerability, tracked as CVE-2026-33747, allows a maliciously crafted custom BuildKit frontend to write files outside the designated BuildKit state directory. This directory traversal risk directly threatens the integrity of the build environment and any systems relying on it.

The core of the exploit lies in the API message handling for custom frontends. When a project uses an untrusted frontend specified via `#syntax` directives or the `--frontend` flag, a bad actor can manipulate the build process to escape the intended sandbox. The issue has been resolved in version 0.28.1 of the `github.com/moby/buildkit` module, prompting an urgent update from the previous v0.28.0. The patch was released via a security advisory (GHSA-4c29-8rgm-jvjj) from the project maintainers.

This vulnerability places significant pressure on development and DevOps teams using BuildKit for container image creation, particularly in CI/CD pipelines. The primary workaround is to avoid using untrusted frontends, but the definitive fix requires immediate dependency updates. The incident underscores the persistent security challenges in build system tooling, where a single component flaw can cascade into supply chain risks. Teams must scrutinize their dependency graphs and apply this security update to mitigate the potential for unauthorized file system access during container builds.