Platform
go
Component
github.com/docker/compose
Fixed in
2.40.3
2.40.2
CVE-2025-62725 describes a Path Traversal vulnerability discovered in Docker Compose. This flaw allows attackers to potentially read sensitive files by manipulating OCI artifact layer annotations. The vulnerability affects versions of Docker Compose before 2.40.2. A fix has been released in version 2.40.2.
The Path Traversal vulnerability in Docker Compose allows an attacker to read arbitrary files on the system where Docker Compose is running. This could include sensitive configuration files, credentials, or other data that could be used to compromise the system or gain access to other resources. The attack vector involves crafting malicious OCI artifact layer annotations that, when processed by Docker Compose, lead to the disclosure of files outside the intended directory. Successful exploitation could lead to data breaches, privilege escalation, and potential compromise of the entire host system. While the direct impact is file reading, the files read could contain credentials or configuration data that could be used for further attacks.
CVE-2025-62725 was published on 2025-10-30. There is no indication of active exploitation campaigns at this time. The vulnerability's severity is considered HIGH (CVSS 7.5), indicating a moderate probability of exploitation if a public proof-of-concept is released. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation for CVE-2025-62725 is to upgrade Docker Compose to version 2.40.2 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing stricter file access controls on the host system to limit the potential impact of a successful exploit. Review and restrict the permissions granted to the Docker Compose user. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for suspicious file access patterns. After upgrading, confirm the fix by attempting to access a file outside the intended directory using a crafted OCI artifact layer annotation; the access should be denied.
Actualice Docker Compose a la versión 2.40.2 o superior. Esto solucionará la vulnerabilidad de path traversal. Puede descargar la última versión desde el sitio web oficial de Docker o utilizando su gestor de paquetes preferido.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62725 is a Path Traversal vulnerability in Docker Compose versions before 2.40.2, allowing attackers to read arbitrary files via OCI artifact layer annotations.
You are affected if you are using Docker Compose versions prior to 2.40.2. Upgrade to the latest version to mitigate the risk.
Upgrade Docker Compose to version 2.40.2 or later. If immediate upgrade is not possible, implement stricter file access controls.
There is no current indication of active exploitation, but the vulnerability's severity warrants prompt mitigation.
Refer to the official Docker security advisory for detailed information and updates: [https://security.docker.com/](https://security.docker.com/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.