Docker Engine 25.0 release notes

This page describes the latest changes, additions, known issues, and fixes for Docker Engine version 25.0.

For more information about:



For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:


This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.

Bug fixes and enhancements

  • CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's moby/moby#47589

  • plugin: fix mounting /etc/hosts when running in UserNS. moby/moby#47588

  • rootless: fix open /etc/docker/plugins: permission denied. moby/moby#47587

  • Fix multiple parallel docker build runs leaking disk space. moby/moby#47527



For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47490
  • Fix docker start failing when used with --checkpoint moby/moby#47466
  • Don't enforce new validation rules for existing swarm networks moby/moby#47482
  • Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47481
  • Fix a regression introduced in v25.0 that prevented the classic builder from adding tar archive with xattrs created on a non-Linux OS moby/moby#47483
  • containerd image store: Fix image pull not emitting Pulling fs layer status moby/moby#47484
  • API: To preserve backwards compatibility, make read-only mounts non-recursive by default when using older clients (API versions < v1.44). moby/moby#47393
  • API: GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field was missing from the image config. moby/moby#47451
  • API: Populate a missing Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API versions <= 1.43. moby/moby#47387
  • API: Fix a regression that caused API socket connection failures to report an API version negotiation failure instead. moby/moby#47470
  • API: Preserve supplied endpoint configuration in a container-create API request, when a container-wide MAC address is specified, but NetworkMode name or id is not the same as the name or id used in NetworkSettings.Networks. moby/moby#47510

Packaging updates



For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • containerd image store: Fix a bug where docker image history would fail if a manifest wasn't found in the content store. moby/moby#47348

  • Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47304


    • Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses. They must be re-created.
    • Containers with user-defined MAC addresses created with Docker Engine versions 25.0.0 or 25.0.1 receive new MAC addresses when started using Docker Engine version 25.0.2. They must also be re-created.
  • Fix docker save <image>@<digest> producing an OCI archive with index without manifests. moby/moby#47294

  • Fix a bug preventing bridge networks from being created with an MTU higher than 1500 on RHEL and CentOS 7. moby/moby#47308, moby/moby#47311

  • Fix a bug where containers are unable to communicate over an internal network. moby/moby#47303

  • Fix a bug where the value of the ipv6 daemon option was ignored. moby/moby#47310

  • Fix a bug where trying to install a pulling using a digest revision would cause a panic. moby/moby#47323

  • Fix a potential race condition in the managed containerd supervisor. moby/moby#47313

  • Fix an issue with the journald log driver preventing container logs from being followed correctly with systemd version 255. moby/moby47243

  • seccomp: Update the builtin seccomp profile to include syscalls added in kernel v5.17 - v6.7 to align the profile with the profile used by containerd. moby/moby#47341

  • Windows: Fix cache not being used when building images based on Windows versions older than the host's version. moby/moby#47307, moby/moby#47337

Packaging updates



For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:


This release contains security fixes for the following CVEs affecting Docker Engine and its components.

CVEComponentFix versionSeverity
CVE-2024-21626runc1.1.12High, CVSS 8.6
CVE-2024-23651BuildKit1.12.5High, CVSS 8.7
CVE-2024-23652BuildKit1.12.5High, CVSS 8.7
CVE-2024-23653BuildKit1.12.5High, CVSS 7.7
CVE-2024-23650BuildKit1.12.5Medium, CVSS 5.5
CVE-2024-24557Docker Engine25.0.2Medium, CVSS 6.9

The potential impacts of the above vulnerabilities include:

  • Unauthorized access to the host filesystem
  • Compromising the integrity of the build cache
  • In the case of CVE-2024-21626, a scenario that could lead to full container escape

For more information about the security issues addressed in this release, refer to the blog post. For details about each vulnerability, see the relevant security advisory:

Packaging updates



For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • API: Fix incorrect HTTP status code for containers with an invalid network configuration created before upgrading to Docker Engine v25.0. moby/moby#47159
  • Ensure that a MAC address based on a container's IP address is re-generated when the container is stopped and restarted, in case the generated IP/MAC addresses have been reused. moby/moby#47171
  • Fix host-gateway-ip not working during build when not set through configuration. moby/moby#47192
  • Fix a bug that prevented a container from being renamed twice. moby/moby#47196
  • Fix an issue causing containers to have their short ID added to their network alias when inspecting them. moby/moby#47182
  • Fix an issue in detecting whether a remote build context is a Git repository. moby/moby#47136
  • Fix an issue with layers order in OCI manifests. moby/moby#47150
  • Fix volume mount error when passing an addr or ip mount option. moby/moby#47185
  • Improve error message related to extended attributes that can't be set due to improperly namespaced attribute names. moby/moby#47178
  • Swarm: Fixed start_interval not being passed to the container config. moby/moby#47163

Packaging updates



For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:


In earlier versions of Docker Engine, recursive mounts (submounts) would always be mounted as writable, even when specifying a read-only mount. This behavior has changed in v25.0.0, for hosts running on kernel version 5.12 or later. Now, read-only bind mounts are recursively read-only by default.

To get the same behavior as earlier releases, you can specify the bind-recursive option for the --mount flag.

$ docker run --mount type=bind,src=SRC,dst=DST,readonly,bind-recursive=writable IMAGE

This option isn't supported with the -v or --volume flag. For more information, see Recursive mounts.


  • The daemon now uses systemd's default LimitNOFILE. In earlier versions of Docker Engine, this limit was set to infinity. This would cause issues with recent versions of systemd, where the hard limit was increased, causing programs that adjusted their behaviors based on ulimits to consume a high amount of memory. moby/moby#45534

    The new setting makes containers behave the same way as programs running on the host, but may cause programs that make incorrect assumptions based on the soft limit to misbehave. To get the previous behavior, you can set LimitNOFILE=1048576.

    This change currently only affects build containers created with docker build when using BuildKit with the docker driver. Future versions of containerd will also use this limit, which will cause this behavior to affect all containers, not only build containers.

    If you're experiencing issues with the higher ulimit in systemd v240 or later, consider adding a system drop-in or override file to configure the ulimit settings for your setup. The Flatcar Container Linux documentation has a great article covering this topic in detail.

  • Add OpenTelemetry tracing. moby/moby#45652, moby/moby#45579

  • Add support for CDI devices under Linux. moby/moby#45134, docker/cli#4510, moby/moby#46004

  • Add an additional interval to be used by healthchecks during the container start period. moby/moby#40894, docker/cli#4405, moby/moby#45965

  • Add a --log-format flag to dockerd to control the logging format: text (default) or JSON. moby/moby#45737

  • Add support for recursive read-only mounts. moby/moby#45278, moby/moby#46037

  • Add support for filtering images based on timestamp with docker image ls --filter=until=<timestamp>. moby/moby#46577

Bug fixes and enhancements

  • API: Fix error message for invalid policies at ValidateRestartPolicy. moby/moby#46352
  • API: Update /info endpoint to use singleflight. moby/moby#45847
  • Add an error message for when specifying a Dockerfile filename with -f, and also using stdin. docker/cli#4346
  • Add support for mac-address and link-local-ip fields in --network long format. docker/cli#4419
  • Add support for specifying multiple --network flags with docker container create and docker run. moby/moby#45906
  • Automatically enable IPv6 on a network when an IPv6 subnet is specified. moby/moby#46455
  • Add support for overlay networks over IPv6 transport. moby/moby#46790
  • Configuration reloading is now more robust: if there's an error during the configuration reload process, no configuration changes are applied. moby/moby#43980
  • Live restore: Containers with auto remove (docker run --rm) are no longer forcibly removed on engine restart. moby/moby#46857
  • Live restore: containers that are live-restored will now be given another health-check start period when the daemon restarts. moby/moby#47051
  • Container health status is flushed to disk less frequently, reducing wear on flash storage. moby/moby#47044
  • Ensure network names are unique. moby/moby#46251
  • Ensure that overlay2 layer metadata is correct. moby/moby#46471
  • Fix Downloading progress message on image pull. moby/moby#46515
  • Fix NetworkConnect and ContainerCreate with improved data validation, and return all validation errors at once. moby/moby#46183
  • Fix option when IPv6 and ip6tables are enabled. moby/moby#46446
  • Fix daemon's cleanupContainer if containerd is stopped. moby/moby#46213
  • Fix returning incorrect HTTP status codes for libnetwork errors. moby/moby#46146
  • Fix various issues with images/json API filters and image list. moby/moby#46034
  • CIFS volumes now resolves FQDN correctly. moby/moby#46863
  • Improve validation of the userland-proxy-path daemon configuration option. Validation now happens during daemon startup, instead of producing an error when starting a container with port-mapping. moby/moby#47000
  • Set the MAC address of container's interface when network mode is a short network ID. moby/moby#46406
  • Sort unconsumed build arguments before display in build output. moby/moby#45917
  • The docker image save tarball output is now OCI compliant. moby/moby#44598
  • The daemon no longer appends ACCEPT rules to the end of the INPUT iptables chain for encrypted overlay networks. Depending on firewall configuration, a rule may be needed to permit incoming encrypted overlay network traffic. moby/moby#45280
  • Unpacking layers with extended attributes onto an incompatible filesystem will now fail instead of silently discarding extended attributes. moby/moby#45464
  • Update daemon MTU option to BridgeConfig and display warning on Windows. moby/moby#45887
  • Validate IPAM config when creating a network. Automatically fix networks created prior to this release where --ip-range is larger than --subnet. moby/moby#45759
  • Containers connected only to internal networks will now have no default route set, making the connect syscall fail-fast. moby/moby#46603
  • containerd image store: Add image events for push, pull, and save. moby/moby#46405
  • containerd image store: Add support for pulling legacy schema1 images. moby/moby#46513
  • containerd image store: Add support for pushing all tags. moby/moby#46485
  • containerd image store: Add support for registry token. moby/moby#46475
  • containerd image store: Add support for showing the number of containers that use an image. moby/moby#46511
  • containerd image store: Fix a bug related to the ONBUILD, MAINTAINER, and HEALTHCHECK Dockerfile instructions. moby/moby#46313
  • containerd image store: Fix Pulling from progress message. moby/moby#46494
  • containerd image store: Add support for referencing images via the truncated ID with sha256: prefix. moby/moby#46435
  • containerd image store: Fix docker images showing intermediate layers by default. moby/moby#46423
  • containerd image store: Fix checking if the specified platform exists when getting an image. moby/moby#46495
  • containerd image store: Fix errors when multiple ADD or COPY instructions were used with the classic builder. moby/moby#46383
  • containerd image store: Fix stack overflow errors when importing an image. moby/moby#46418
  • containerd image store: Improve docker pull progress output. moby/moby#46412
  • containerd image store: Print the tag, digest, and size after pushing an image. moby/moby#46384
  • containerd image store: Remove panic from UpdateConfig. moby/moby#46433
  • containerd image store: Return an error when an image tag resembles a digest. moby/moby#46492
  • containerd image store: docker image ls now shows the correct image creation time and date. moby/moby#46719
  • containerd image store: Fix an issue handling user namespace settings. moby/moby#46375
  • containerd image store: Add support for pulling all tags (docker pull -a). moby/moby#46618
  • containerd image store: Use the domain name in the image reference as the default registry authentication domain. moby/moby#46779

Packaging updates



  • Deprecate API versions older than 1.24. Deprecation notice
  • Deprecate IsAutomated field and is-automated filter for docker search. Deprecation notice
  • API: Deprecate Container and ContainerConfig properties for /images/{id}/json (docker image inspect). moby/moby#46939

Known limitations

Extended attributes for tar files

In this release, the code that handles tar archives was changed to be more strict and to produce an error when failing to write extended attributes (xattr). The tar implementation for macOS generates additional extended attributes by default when creating tar files. These attribute prefixes aren't valid Linux xattr namespace prefixes, which causes an error when Docker attempts to process these files. For example, if you try to use a tar file with an ADD Dockerfile instruction, you might see an error message similar to the following:

failed to solve: lsetxattr /sftp_key.ppk: operation not supported

Error messages related to extended attribute validation were improved to include more context in v25.0.1, but the limitation in Docker being unable to process the files remains. Tar files created with the macOS tar using default arguments will produce an error when the tar file is used with Docker.

As a workaround, if you need to use tar files with Docker generated on macOS, you can either:

  • Use the --no-xattr flag for the macOS tar command to strip all the extended attributes. If you want to preserve extended attributes, this isn't a recommended option.

  • Install and use gnu-tar to create the tarballs on macOS instead of the default tar implementation. To install gnu-tar using Homebrew:

    $ brew install gnu-tar

    After installing, add the gnu-tar binary to your PATH, for example by updating your .zshrc file:

    $ echo 'PATH="/opt/homebrew/opt/gnu-tar/libexec/gnubin:$PATH"' >> ~/.zshrc
    $ source ~/.zshrc