2406643 – (CVE-2025-62725) CVE-2025-62725 docker-compose: Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations

Bug 2406643 (CVE-2025-62725) - CVE-2025-62725 docker-compose: Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations

Summary: CVE-2025-62725 docker-compose: Docker Compose Vulnerable to Path Traversal vi...

Keywords:
Status:	NEW
Alias:	CVE-2025-62725
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2406691 2406693
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-27 21:01 UTC by OSIDB Bzimport
Modified:	2025-10-28 05:32 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-27 21:01:32 UTC

Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there. This affects any platform or workflow that resolves remote OCI compose artifacts, Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud dev environments is affected. An attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read‑only commands such as docker compose config or docker compose ps. This issue is fixed in v2.40.2.

Note You need to log in before you can comment on or make changes to this bug.