A path traversal vulnerability discovered in Docker Compose allows attackers to write arbitrary files to host systems through specially crafted OCI artifacts.
Tracked as CVE-2025-62725, the flaw was discovered in early October 2025 and carries a high severity rating of 8.9 CVSS.
| CVE ID | CVE-2025-62725 |
| Component | Docker Compose OCI Artifacts |
| Vulnerability Type | Path Traversal / Arbitrary File Write |
| CVSS 3.1 Score | 8.9 (High) |
| Affected Versions | Docker Compose prior to v2.40.2 |
The vulnerability puts millions of Docker Compose deployments at risk, from development environments to enterprise CI/CD pipelines and cloud infrastructure.
How the Vulnerability Works
Docker Compose recently introduced support for OCI-based Compose artifacts, enabling developers to fetch and include Compose files from remote registries.
While this feature improves portability, it created a dangerous gap in file path validation. When Compose processes remote OCI layers, it trusts annotations that specify where downloaded files should be written to disk.
An attacker can craft these annotations with path traversal sequences that escape the intended cache directory entirely, allowing files to be written anywhere on the host system.
The vulnerable code failed to normalize or validate paths before writing them to disk. This means an attacker could inject a malicious annotation directing Compose to write files into sensitive system locations like SSH directories, configuration folders, or other critical areas where the Compose process has write permissions.
What makes this vulnerability particularly dangerous is that users don’t need to explicitly start containers to trigger it.
Seemingly harmless commands like “docker compose ps” or “docker compose config” force Compose to fetch and reconstruct remote OCI artifacts, automatically triggering the vulnerability without the user realizing they’re processing untrusted content.
An attacker needs only to trick a victim into running any Compose command in a directory containing a malicious docker-compose.yaml file.
In the proof-of-concept demonstration, an attacker could inject their SSH public key into the target system’s authorized_keys file, granting immediate remote access, as reported by Imperva.
This could happen without any containers starting and without any explicit write operation from the user. The attack chain is simple yet devastatingly effective.
Docker released a patch in Docker Compose v2.40.2 and later that introduces proper path validation.
The fix normalizes and validates all annotation-derived paths before writing them to disk, rejecting any paths that resolve outside the cache directory or contain absolute paths.
Organizations using Docker Compose should upgrade immediately to the patched version to prevent exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
