{“lastseen”:”2025-10-28T18:42:02″,”description”:”Docker Compose powers millions of workflows, from CI\/CD runners and local development stacks to cloud workspaces and enterprise build pipelines. It\u2019s trusted by developers as the friendly layer above Docker Engine that turns a few YAML lines into a running application.\\n\\nIn early October 2025, while exploring Docker Compose\u2019s new support for OCI-based Compose artifacts, I discovered a high-severity path traversal vulnerability. The flaw allowed attackers to escape Compose\u2019s cache directory and write arbitrary files on the host system, simply by tricking a user into referencing a malicious remote artifact. The issue was patched by the Docker team and assigned CVE-2025-62725, rated High (CVSS 8.9).\\n\\n**We strongly recommend upgrading to Docker version v2.40.2 or later.** In this post I unpack the bug, share the proof of concept, and reconstruct how exploitation would have played out in practice.\\n\\n## **Background: OCI Compose Artifacts and Remote Includes**\\n\\nTo make Compose projects more portable, Docker added support for fetching Compose files published as OCI artifacts. This allows developers to host Compose projects in registries and include them via a simple \u201cinclude:\u201d directive.\\n\\nBehind the scenes, Compose fetches the OCI manifest, downloads each layer, and reconstructs the local project inside a cache directory.\\n\\nEach layer can include annotations such as:\\n\\n_com.docker.compose.file_ \\n_com.docker.compose.envfile_ \\n_com.docker.compose.extends_\\n\\nThese instruct Compose where to write the file and whether it extends the main project definition.\\n\\n## **Path Traversal in Docker Compose OCI Artifacts**\\n\\nThe vulnerable code lived in pkg\/remote\/oci.go, specifically inside pullComposeFiles, writeComposeFile, and writeEnvFile.\\n\\nWhen Compose processed OCI layers it trusted the layer annotations that tell it where to write files. An attacker could set an annotation such as:\\n\\nCompose then performed a literal join between its local cache directory and that annotation:\\n\\nNo normalization, no canonicalization, no checks that the resulting path stayed inside the cache. Because of that, a crafted annotation could traverse out of the cache directory and cause Compose to write files anywhere the Compose process had permission to write.\\n\\nMost people know it’s a bad idea to run \u201cdocker compose up\u201d on untrusted compose files. What makes this bug subtle and dangerous is that it is triggered during artifact resolution, not only when starting containers. Many seemingly \u201cread only\u201d commands, for example docker compose ps or docker compose config, force Compose to fetch and reconstruct remote OCI artifacts into the cache triggering the vulnerability.\\n\\n## **Exploitation**\\n\\nTo demonstrate the vulnerability, I created a minimal OCI registry that serves a malicious Compose artifact containing a path traversal layer. The registry is available here.\\n\\nAn attacker could exploit this by convincing a victim to run almost any Compose command, such as \u201cdocker compose ps\u201d in a directory that includes a specially crafted docker-compose.yaml file.\\n\\nOnce triggered, the Docker Compose CLI would fetch the remote artifact from the attacker\u2019s registry, inadvertently leaking the server\u2019s IP address. It would then process the artifact\u2019s annotations, blindly writing an additional YAML fragment outside of its cache directory.\\n\\nIn this proof-of-concept the payload targets ~\/[.]ssh\/authorized_keys, injecting the attacker\u2019s public key and immediately granting them SSH access to the victim\u2019s machine, even though no containers were started and no \u201cwrite\u201d operation was explicitly invoked by the user.\\n\\n## **Fix and Mitigation**\\n\\nThe Docker team’s patch introduces a validatePathInBase() function that normalizes and validates annotation-derived paths before writing, rejecting any that resolve outside the cache directory or that contain absolute paths.\\n\\nWe strongly recommend upgrading to Docker version v2.40.2 or later.\\n\\n## **Timeline**\\n\\n * **October 9, 2025** \u2014 Vulnerability reported to Docker Security.\\n * **October 21, 2025** \u2014 Issue confirmed, advisory opened.\\n * **October 27, 2025** \u2014 Fix released in Docker Compose v2.40.2, CVE-2025-62725 published.\\n\\n\\n\\n## **Conclusion**\\n\\nDocker Compose\u2019s OCI artifact feature was built to make sharing configurations effortless, but as this case shows, any time a tool automatically reconstructs files from untrusted sources, boundaries blur.\\n\\nThe Docker team\u2019s swift response and fix ensured users remain protected, but the broader takeaway for the ecosystem is clear: **sanitize every path, even when \u201cit\u2019s just YAML.\u201d**\\n\\nThe post CVE-2025-62725: From \u201cdocker compose ps\u201d to System Compromise appeared first on Blog.”,”published”:”2025-10-28T17:27:53″,”modified”:”2025-10-28T17:27:53″,”type”:”impervablog”,”title”:”CVE-2025-62725: From \u201cdocker compose ps\u201d to System Compromise”,”source”:””,”references”:””,”id”:”IMPERVABLOG:60999244835ED88136CF4FB08F8E160D”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-62725″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:8.9,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:A\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.imperva.com\/blog\/cve-2025-62725-from-docker-compose-ps-to-system-compromise\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-28T18:42:02″,”description”:”Docker Compose powers millions of workflows, from CI\/CD runners and local development stacks to cloud workspaces and enterprise build pipelines. It\u2019s trusted by developers as…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,113,12,15,59,13,7,11,5],"class_list":["post-23740","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-89","tag-exploit","tag-high","tag-impervablog","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n