Path traversal vulnerability in Docker compose enables system compromise via malicious OCI artifacts
Take action: If you are running Docker Compose on any system, update it ASAP. It's going to be pretty stupid if you get hacked with a simple docker compose command which should have been read only and safe to use.
Learn More
Docker is reporting disclosed a high-severity path traversal vulnerability in Docker Compose that allows attackers to escape the application's cache directory and write arbitrary files anywhere on the host system. Exploitation can occur through seemingly innocuous read-only commands, enabling attackers to achieve complete system compromise without users ever explicitly launching containers or executing write operations.
Docker Compose is a tool trusted by developers worldwide as the user-friendly orchestration layer that sits above Docker Engine, transforming declarative YAML configurations into running containerized applications.
The flaw is tracked as CVE-2025-62725 (CVSS score 8.9) in the support for Open Container Initiative (OCI) based Compose artifacts. This feature was designed to make Compose projects more portable by allowing developers to host and share Compose configurations in OCI-compliant container registries.
The security flaw is in the pkg/remote/oci.go package, in the pullComposeFiles, writeComposeFile, and writeEnvFile functions that handle the processing of remote OCI Compose artifacts. When Docker Compose fetches OCI-based Compose files from remote registries, it downloads the OCI manifest along with each associated layer, then reconstructs the complete project structure inside a local cache directory on the host system. Each layer within these OCI artifacts can include special annotations that provide metadata about how files should be handled and where they should be written. The relevant annotations include com.docker.compose.file, com.docker.compose.envfile, and com.docker.compose.extends, which instruct Docker Compose about file placement, environment variable configuration, and project inheritance relationships.
Docker Compose implicitly trusts in the path information embedded within these remote OCI artifact annotations. When processing layers that include the com.docker.compose.extends or com.docker.compose.envfile annotations, Docker Compose performs a literal concatenation between its local cache directory and the attacker-supplied value from the annotation. This creates a path traversal vulnerability where an attacker can craft malicious annotations containing directory traversal sequences (such as ../../../) to escape the cache directory and write files to arbitrary locations on the host filesystem.
Affected versions include all Docker Compose releases prior to version 2.40.2.
Organizations and individuals running Docker Compose should upgrade to Docker Compose v2.40.2 or later. For Docker Desktop users, this update should be applied through the standard Docker Desktop update mechanism. For users running standalone Docker Compose binaries, the new version should be downloaded and installed from the official Docker Compose releases page on GitHub. CI/CD administrators should update all runner images and build agents to include the patched version. Cloud development environment providers should ensure their Docker installations are updated to the latest secure version.
As interim protective measures while planning upgrades, organizations should implement strict validation and sanitization of any remote OCI Compose artifacts before use, especially those sourced from external repositories.
