A serious vulnerability in Docker Compose, discovered in early October 2025, allows path traversal attacks to overwrite any files on a host system. Assigned CVE-2025-62725, with a CVSS score of 8.9, this flaw arises from improper handling of remote artifacts, impacting CI/CD pipelines, local development, and cloud environments. The vulnerability was earned through an inspection of Docker’s new feature for OCI-based artifacts, where manipulation of YAML file directives can trigger unauthorized file access.
Attackers can exploit this flaw by crafting malicious artifacts with altered annotations to escape designated paths and target sensitive system locations, like SSH keys. Notably, the risk is present during seemingly harmless commands, which evaluate these artifacts without user intent to write files. Docker’s swiftly applied patch in version 2.40.2 included a function to ensure path normalization, aiming to mitigate future risks. Security experts advise vigilance in auditing shared Compose files and suggest running tools under the least privilege model.
👉 Pročitaj original: Cyber Security News
