SB2025103132 - Arbitrary file write in Docker Compose

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2025-62725)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there. A remote attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read‑only commands such as "docker compose config" or "docker compose ps".

Remediation

Install update from vendor's website.

References

• https://github.com/advisories/GHSA-gv8h-7v7w-r22q
• https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q