ghsa-gv8h-7v7w-r22q
Vulnerability from github
Published
2025-10-27 20:19
Modified
2025-10-27 22:32
Severity ?
VLAI Severity ?
Summary
Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations
Details
Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there.
Impact
This affects any platform or workflow that resolves remote OCI compose artifacts, Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud dev environments is affected. An attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read‑only commands such as docker compose config or docker compose ps.
Patches
v2.40.2
Workarounds
NA
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/compose/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.40.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62725"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-27T20:19:34Z",
"nvd_published_at": "2025-10-27T21:15:38Z",
"severity": "HIGH"
},
"details": "Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker\u2011supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there. \n\n### Impact\nThis affects any platform or workflow that resolves remote OCI compose artifacts, Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud dev environments is affected.\nAn attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read\u2011only commands such as docker compose config or docker compose ps.\n\n### Patches\nv2.40.2\n\n### Workarounds\nNA",
"id": "GHSA-gv8h-7v7w-r22q",
"modified": "2025-10-27T22:32:12Z",
"published": "2025-10-27T20:19:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62725"
},
{
"type": "WEB",
"url": "https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176"
},
{
"type": "PACKAGE",
"url": "https://github.com/docker/compose"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…