Docker Security Alert: Zombie Layers Put Sensitive Data at Risk

Researchers from GitGuardian have discovered that after a Docker image is deleted, its layers may continue to exist in the registry. These layers, referred to as “zombie layers,” can remain in registries for weeks before being purged by the garbage collection service. The primary danger lies in the fact that zombie layers, containing sensitive information, may become a target for malicious actors who monitor registries for vulnerabilities.

One such flaw has been identified in Amazon Web Services (AWS) ECR, where even with tag immutability enabled, Docker image layers can be uploaded before the system rejects the manifest. This allows for the creation of zombie layers, even in environments where image overwrites are prohibited.

Docker images are composed of multiple layers, each representing an archive of files, such as bash or specific scripts. A Docker image manifest describes its contents, including the hashes of the layers. However, when an image is modified, for instance, by removing a layer containing secret data, the original layers remain in the registry and can be restored using their hashes.

During an experiment, researchers uploaded a test Docker image to a registry and then modified it, removing a layer containing sensitive information. The team then tested whether the deleted layer could be recovered and found that the layer still existed in the registry and could be downloaded. This occurs because registries do not immediately delete unused layers, even if they are no longer referenced in the manifest.

Particular attention was given to how long zombie layers remain accessible in registries. In an experiment involving four registries—DockerHub, Quay.io, GitHub Packages, and AWS ECR—it was found that zombie layers remained visible for up to a month, with the exception of Quay.io, which deleted the layer after 17 days. To prevent such scenarios, GitGuardian recommends scanning Docker images for secrets before publishing them to prevent leaks.

Similar issues also affect GitHub—data from deleted forks, repositories, and even private repositories can remain accessible indefinitely. The problem is not only known to the company but is also part of the platform’s architecture.