VDB

CVE-2025-62725

CVE-2025-62725 PUBLISHED CVSS 8.899999618530273 HIGH

Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there. This affects any platform or workflow that resolves remote OCI compose artifacts, Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud dev environments is affected. An attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read‑only commands such as docker compose config or docker compose ps. This issue is fixed in v2.40.2.

EPSS 0.05% · 14.5th percentile

Risk Scores

CVSS v4.0
8.899999618530273
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
EPSS Score
0.05%
14.5th percentile

Affected Products

VendorProductVersions
github.comdocker/compose/v22.34.0
dockercompose< 2.40.2

Timeline

  • Jan 21, 1970 Security Advisory
  • Oct 27, 2025 CVE Published
  • Oct 27, 2025 Coalition ESS Score
  • Oct 27, 2025 PoC Published
  • Oct 28, 2025 EPSS Score
  • Oct 29, 2025 PoC Published
  • Oct 29, 2025 PoC Published
  • Oct 29, 2025 PoC Published
  • Oct 29, 2025 PoC Published
  • Oct 30, 2025 Coalition ESS Score
  • Oct 31, 2025 PoC Published
  • Oct 31, 2025 PoC Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›