Docker Compose Vulnerability Allow Attacks To Overwrite Arbitrary Files

Docker Compose, a cornerstone tool for developers managing containerized application harbors a high-severity vulnerability that lets attackers overwrite files anywhere on a host system.

Discovered in early October 2025 by Imperva, the issue stems from improper handling of remote artifacts in Docker’s OCI support, enabling path traversal attacks without even launching containers.

Assigned CVE-2025-62725 with a CVSS score of 8.9, the flaw affects millions of workflows in CI/CD pipelines, local development, and cloud environments. Docker swiftly patched it in version 2.40.2, urging users to update immediately.

The vulnerability emerged as researchers probed Docker Compose’s new feature for OCI-based artifacts, which allows teams to share portable Compose projects via registries.

These artifacts use simple “include” directives in YAML files to pull in configurations, environment files, and extensions. Behind the scenes, Compose downloads layers from the registry and reconstructs them in a local cache directory, guided by annotations like com.docker.compose.file or com.docker.compose.envfile.

These annotations dictate file destinations, but the code in oci.go blindly concatenated them with the cache path, skipping normalization or boundary checks.

Attackers could craft malicious artifacts with annotations to escape the cache and target sensitive locations, such as SSH keys or system configs.

The danger lies in its stealth: it triggers during “read-only” operations like “docker compose config” or “docker compose ps,” which resolve remote includes without user intent to write files.

A proof-of-concept demonstrates injecting an SSH public key into ~/.ssh/authorized_keys, granting remote access—all from a tricked developer running a routine command on an untrusted YAML file.

This bug’s subtlety amplifies its threat. Developers often share Compose files in public repos or CI systems, unaware that a tampered “include” could fetch a poisoned artifact.

In enterprise settings, cloud dev environments or automated builds become prime targets, as the process leaks server IPs during fetches and writes files with the Compose binary’s permissions.

No container startup is needed, blurring the lines between safe inspection and exploitation. Impacts span Docker Desktop, Linux binaries, and integrated tools, potentially leading to full system compromise if the host runs as root or has broad write access.

Docker’s fix introduces a validatePathInBase function that normalizes paths and rejects traversals or absolute references. Reported on October 9, confirmed by October 21, and released on October 27, the patch closes the gap without disrupting OCI features.

Security experts emphasize auditing shared Compose files and running tools with the least privilege. As container orchestration evolves, this incident underscores the perils of trusting remote metadata, reminding developers that convenience must never outpace validation.

With updates applied, Docker Compose regains its trusted status, but vigilance remains key in an era of interconnected DevOps.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.