High-severity path traversal vulnerability was identified in Docker Compose
Docker Compose Path Traversal Vulnerability Enables Arbitrary File Write and System Compromise
Summary:
| OEM | Docker |
| Severity | High |
| CVSS Score | 8.9 |
| CVEs | CVE-2025-62725 |
| Date of Announcement | 2025-10-28 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A high-severity path traversal vulnerability was identified in Docker Compose, a widely-used tool for defining and managing multi-container Docker applications.
This flaw occurs in the handling of remote OCI-based Compose artifacts, allowing an attacker to craft malicious artifact annotations that bypass directory restrictions. As a result, malicious files can be written outside the intended cache directory on the host system.
This vulnerability can be triggered even by seemingly harmless commands such as docker compose ps or docker compose config that resolve remote artifacts. Organizations should upgrade immediately to avoid possible system compromise.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Path Traversal in OCI Artifacts Allowing Arbitrary File Write | CVE-2025-62725 | Docker Compose CLI | High | 8.9 |
Technical Summary
Docker Compose added support for fetching Compose files as OCI artifacts from remote registries. These artifacts contain layers with annotations indicating file paths for writing.
The vulnerability exists because Docker Compose did not sanitize or validate these path annotations prior to writing files, allowing path traversal sequences to escape the cache directory.
Attackers can exploit this by publishing malicious OCI artifacts with crafted annotations, leading to arbitrary file writes anywhere the Compose process has permissions, potentially overwriting sensitive files such as SSH authorized_keys, escalating privileges and compromising the host. The flaw affects Docker Compose versions prior to v2.40.2.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-62725 | Docker Compose (Linux, Windows, macOS) | Path traversal via malicious remote OCI artifact annotations allowing arbitrary file write outside the Compose cache directory. | Arbitrary file write, potential system compromise, privilege escalation. |
Remediation
Apply security patches immediately to mitigate risks from privilege escalation and container escape.
- Update Docker-compose to v2.40.2 or the latest one.
Conclusion
Docker Compose vulnerability poses a serious risk of arbitrary file writes and system compromise through malicious OCI artifacts.
Due to the ease of exploitation when using remote Compose files, all users and organizations should upgrade to the patched Docker Compose version immediately, scrutinize remote artifact usage, and enhance their container security hygiene to mitigate this significant threat.
References