CVE-2025-62725
Arbitrary File Overwrite vulnerability in v2 (Go)
What is CVE-2025-62725 About?
This vulnerability in Docker Compose allows for arbitrary file overwrites due to improper handling of path information in remote OCI compose artifacts. Attackers can leverage specially crafted artifact annotations to escape the cache directory and overwrite files on the host machine. This can lead to significant system compromise and is relatively easy to exploit with manipulated OCI artifacts.
Affected Software
Technical Details
Docker Compose improperly trusts path information contained within remote OCI compose artifacts. Specifically, when a layer within such an artifact includes the com.docker.compose.extends or com.docker.compose.envfile annotations, Compose concatenates an attacker-controlled value from com.docker.compose.file or com.docker.compose.envfile with its local cache directory. An attacker can supply a path traversal sequence (e.g., ../../) within these annotation fields, allowing them to escape the intended cache directory. Although the operation might appear read-only (e.g., docker compose config or docker compose ps), this path manipulation enables the attacker to overwrite arbitrary files on the machine running Docker Compose, regardless of the command's perceived intent.
What is the Impact of CVE-2025-62725?
Successful exploitation may allow attackers to achieve arbitrary code execution, denial of service, privilege escalation, or full system compromise by overwriting critical system files or injecting malicious configurations.
What is the Exploitability of CVE-2025-62725?
Exploitation of this vulnerability is considered medium-to-low complexity, primarily requiring the attacker to create a malicious OCI compose artifact with crafted path traversal annotations. No specific authentication is required at the time of exploitation against the Docker Compose instance itself, as the vulnerability resides in how Compose processes the artifact. Privilege requirements depend on the context in which Docker Compose is run; if run as a highly privileged user, the impact of file overwrites is far greater. This is a remote vulnerability, as the attacker delivers the malicious artifact from a remote source. A key prerequisite is the victim running Docker Compose commands that resolve remote OCI artifacts, even read-only operations. Risk factors include environments that frequently pull and process external OCI compose artifacts, such as CI/CD pipelines or cloud development environments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-62725?
Available Upgrade Options
- github.com/docker/compose/v2
- <2.40.2 → Upgrade to 2.40.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/docker/compose
- https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q
- https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q
- https://nvd.nist.gov/vuln/detail/CVE-2025-62725
- https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176
- https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176
- https://osv.dev/vulnerability/GHSA-gv8h-7v7w-r22q
What are Similar Vulnerabilities to CVE-2025-62725?
Similar Vulnerabilities: CVE-2023-38408 , CVE-2022-36058 , CVE-2021-39217 , CVE-2020-1492 , CVE-2018-1002105
