cbcvebase.
CVE-2025-62725
published 2025-10-27

CVE-2025-62725: Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or…

PriorityP260high8.9CVSS 4.0
AVNACLATPPRNUIAVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
13.85%
96.1th percentile
Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there. This affects any platform or workflow that resolves remote OCI compose artifacts, Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud dev environments is affected. An attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read‑only commands such as docker compose config or docker compose ps. This issue is fixed in v2.40.2.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiandocker-compose
dockercompose< 2.40.22.40.2
github.comdocker_compose_v2>= 0 < 2.40.22.40.2
github.comdocker_compose_v2>= 2.34.0 < 2.40.22.40.2

Detection & IOCsextracted from sources · hover to see the quote

othercom.docker.compose.extends
othercom.docker.compose.envfile
othercom.docker.compose.file
  • Alert on arbitrary file write operations originating from the Docker Compose process (docker compose) outside of its expected local cache directory, especially when triggered by read-only subcommands such as 'docker compose config' or 'docker compose ps'.
  • ·The vulnerability is exploitable even when users run read-only Docker Compose commands; detection and blocking must not be limited to write-oriented subcommands.
  • ·The attack vector requires user interaction (resolving a remote OCI compose artifact), but the impact is rated Important due to potential privilege escalation or further code execution via overwritten config/env/script files.

CVSS provenance

nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.9HIGH
vendor_debian8.9LOW
vendor_redhat8.9HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.