Malicious OCI Artifacts Enable System Compromise via Docker Compose

Published Date: October 29, 2025
Category: ShadowOpsIntel
Share:

CVE-2025-62725 is a high-severity path traversal vulnerability discovered in Docker Compose’s handling of OCI-based Compose artifacts. By abusing Compose’s layer annotation feature, attackers can write arbitrary files outside the intended cache directory, leading to remote code execution and full system compromise without spinning up containers. This vulnerability can be triggered by innocuous commands like docker compose ps, turning seemingly read-only operations into dangerous attack vectors.

Severity: High

Vulnerability Details

  • Affected Component: pkg/remote/oci.go – a component of the Docker Compose CLI’s Go codebase, specifically in functions such as pullComposeFiles, writeComposeFile, & writeEnvFile.
  • Root Cause:
    • When Docker Compose processes OCI-based Compose artifacts, it blindly trusts layer annotations (e.g., com.docker.compose.file) that dictate where to write files.
    • Compose performs a literal join of the annotation path with its local cache directory: os.Create(filepath.Join(local, annotationValue))
    • No path normalization or validation was performed to ensure the resulting path stays within the cache boundary.
  • Vulnerability Type: Path Traversal / Arbitrary File Write
  • CVSS Score: 8.9
  • Affected Versions: < v2.40.2
  • Fixed In: v2.40.2

Exploitation Details

  • The bug triggers during artifact resolution, not container runtime.
  • An attacker could exploit this by tricking a user into running almost any Docker Compose command (e.g., docker compose ps) in a directory containing a specially crafted docker-compose.yaml file that references a malicious remote artifact.
  • The Compose CLI would fetch the malicious artifact from an attacker’s OCI registry and, by processing the annotations, would blindly write an arbitrary file outside its cache directory.
  • The proof-of-concept demonstrated system compromise by targeting ~/.ssh/authorized_keys to inject the attacker’s public key, immediately granting SSH access to the victim’s machine.

Recommendations

  1. Users are strongly recommended to upgrade to Docker version v2.40.2 or later.

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.