Plattform
go
Komponente
github.com/docker/compose
Behoben in
2.40.3
2.40.2
CVE-2025-62725 describes a Path Traversal vulnerability discovered in Docker Compose, specifically within the handling of OCI artifact layer annotations. This flaw allows attackers to potentially read sensitive files from the host system. The vulnerability impacts versions of Docker Compose before 2.40.2, and a patch has been released to address the issue.
The core of the vulnerability lies in how Docker Compose processes annotations within OCI (Open Container Initiative) artifact layers. Malicious actors can craft specially designed annotations that, when processed by Docker Compose, lead to the traversal of directories outside the intended scope. This allows them to read files they shouldn't have access to, potentially exposing configuration files, secrets, or other sensitive data. The impact can range from information disclosure to, in more complex scenarios, potential code execution if the attacker can leverage the read access to manipulate system behavior. While direct code execution isn't immediately apparent, the ability to read arbitrary files creates a significant attack surface.
CVE-2025-62725 was publicly disclosed on 2025-10-30. The EPSS score is currently pending evaluation. No public proof-of-concept exploits are currently known, but the nature of path traversal vulnerabilities makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for updates.
Organizations using Docker Compose in production environments, particularly those with sensitive data stored on the host system or within Docker containers, are at risk. Environments with less stringent file access controls are also more vulnerable. Developers using Docker Compose for local development should also apply the fix to prevent potential compromise.
• linux / server: Monitor Docker Compose logs for unusual file access attempts. Use journalctl -u docker-compose to filter for errors related to file access.
journalctl -u docker-compose | grep "file not found" -i• go: Inspect Docker Compose source code for instances of os.Open or similar functions that handle file paths derived from user input. Look for potential path traversal vulnerabilities.
• generic web: If Docker Compose is exposed via a web interface, monitor access logs for requests attempting to access files outside the intended directory.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-62725 is to upgrade Docker Compose to version 2.40.2 or later. This version includes a fix that properly sanitizes and validates OCI artifact layer annotations, preventing the path traversal. If an immediate upgrade is not feasible, consider implementing stricter file system permissions to limit the potential damage from a successful exploit. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for suspicious file access patterns. After upgrading, verify the fix by attempting to access a file outside the expected directory using a crafted OCI annotation; the access should be denied.
Actualice Docker Compose a la versión 2.40.2 o superior. Esto solucionará la vulnerabilidad de path traversal. Puede descargar la última versión desde el sitio web oficial de Docker o utilizando su gestor de paquetes preferido.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62725 is a Path Traversal vulnerability in Docker Compose versions before 2.40.2, allowing attackers to read arbitrary files via OCI artifact layer annotations.
You are affected if you are using Docker Compose versions prior to 2.40.2. Upgrade to the latest version to mitigate the risk.
Upgrade Docker Compose to version 2.40.2 or later. If immediate upgrade is not possible, implement stricter file access controls.
There is no current indication of active exploitation, but the vulnerability's severity warrants prompt mitigation.
Refer to the official Docker security advisory for detailed information and updates: [https://security.docker.com/](https://security.docker.com/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.