Path traversal in docker-compose - CVE-2025-62725
Published: October 31, 2025 / Updated: November 26, 2025
Vulnerability identifier: #VU117865
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-62725
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Docker Inc.
Affected software:
docker-compose
docker-compose
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there. A remote attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read‑only commands such as "docker compose config" or "docker compose ps".
How to mitigate CVE-2025-62725
Install updates from vendor's website.