LT Tech Blog

Wow News on Tech and AI

Containers / Kubernetes Vulnerabilities & CVEs

Docker Compose path-traversal bug lets attackers write to host — update now

By

Dec 24, 2025 #arbitrary file write to host, #CVE-2025-62725, #Docker Compose path traversal, #OCI artifact annotations, #upgrade to v2.40.2

TL;DR

A path traversal vulnerability in Docker Compose's OCI artifact handling (CVE-2025-62725, NIST severity 8.9) could let attackers cause Compose to write files anywhere the process can access. Separately, Docker Desktop's Windows installer was patched for a DLL search-order hijack (EUVD-2025-36191, ENISA 8.8). Users are advised to install the fixes immediately.

What happened

A researcher at Imperva, Ron Masas, discovered a high-severity path traversal issue in Docker Compose's implementation of OCI-based Compose artifacts. When processing OCI layers, Compose relied on layer annotations to determine where to write files; it concatenated those annotations with its local cache directory without normalizing or canonicalizing the resulting path. An attacker who gets a user to reference a malicious remote artifact could craft annotations that traverse out of the cache and force Compose to write arbitrary files to locations on the host where the Compose process has write permissions. NIST assigned the flaw CVE-2025-62725 with an 8.9 severity score. Imperva recommended upgrading Compose to v2.40.2, and Docker issued a fix. In a separate advisory, ENISA flagged a DLL hijacking problem in Docker Desktop's installer that was closed in Desktop 4.49.0.

Why it matters

  • A compromised Compose artifact can bypass container boundaries to modify host files if the Compose process has write access.
  • Many development and CI/CD workflows rely on Compose; a wide range of environments could be exposed given Compose’s broad use.
  • The Desktop installer weakness could allow privilege escalation on Windows systems via malicious DLLs placed in user-writable locations.
  • Timely updates are necessary because both issues received high severity ratings from public authorities (NIST and ENISA).

Key facts

  • CVE-2025-62725: path traversal in Docker Compose OCI artifact processing; NIST severity 8.9.
  • Issue found by Imperva researcher Ron Masas in early October.
  • Flaw stems from trusting OCI layer annotations and joining them to Compose's cache without path normalization.
  • A crafted annotation can traverse out of the cache and cause writes anywhere the Compose process can write.
  • Imperva recommended updating Compose to v2.40.2; Docker released a corresponding fix.
  • ENISA flagged a DLL hijack in Docker Desktop's installer as EUVD-2025-36191 with an 8.8 rating.
  • Docker Desktop patched the installer issue in version 4.49.0.
  • Docker's release notes state future Desktop releases will require Windows 10 22H2 or Windows 11 23H2.
  • This follows another recent high-severity/critical Docker issue patched in August.

What to watch next

  • Upgrade Docker Compose to v2.40.2 and Docker Desktop to 4.49.0 if you have not already.
  • Audit CI/CD runners, developer machines and cloud workspaces that consume remote Compose artifacts for unexpected file writes.
  • Monitor vendor advisories for any follow-up fixes, detection rules or indicators of compromise — not confirmed in the source.

Quick glossary

  • OCI (Open Container Initiative): A set of standards for container formats and runtimes used to package and distribute container images and related artifacts.
  • Path traversal: A class of vulnerability where crafted file paths allow attackers to access or write files outside an intended directory.
  • DLL hijacking (DLL search-order hijack): An attack that abuses the order a Windows program searches for DLLs to load a malicious library from a location the attacker controls.
  • Compose artifact: A packaged set of files or metadata used by Docker Compose to reconstruct application definitions and file structures.

Reader FAQ

Which Compose version fixes the path traversal issue?
Imperva recommended v2.40.2; Docker issued a fix tied to that release.

Which Docker Desktop release fixes the installer DLL hijack?
Docker Desktop 4.49.0 contains the fix for the installer DLL search-order vulnerability.

Have these vulnerabilities been seen exploited in the wild?
not confirmed in the source

How does the Compose attack work in simple terms?
Compose trusted layer annotations from OCI artifacts and concatenated them to its cache path without normalization, allowing a malicious annotation to escape the cache and trigger writes to arbitrary host locations accessible by the process.

PATCHES 3 Docker Compose vulnerability opens door to host-level writes – patch pronto Windows Desktop installer also fixed after DLL hijack flaw rated 8.8 severity Joe Fay Thu 30 Oct 2025 // 16:27 UTC…

Sources

Related posts

By

Related Post

Cybersecurity Vulnerabilities & CVEs

Decorative Cryptography: How TCG_TPM2_HMAC Inverts the Chain of Trust

Jan 5, 2026
GenAI (models, assistants) Vulnerabilities & CVEs

Eurostar AI chatbot flaws let attackers alter history, leak prompts

Jan 5, 2026
Containers / Kubernetes DevTools

OpenGitOps: Open Standards and Principles for GitOps Adoption

Jan 4, 2026

Leave a Reply

Your email address will not be published. Required fields are marked *


You missed

AI in Business Product launches

Capita tells civil servants to wait for chatbots to fix pension portal issues

January 5, 2026
How it works Mobile & Apps

Auditing my subscriptions for the New Year revealed $100 in monthly waste

January 5, 2026
Consumer Tech & Gadgets Product launches

Samsung Galaxy S26 could rise in price in South Korea but stay flat in US

January 5, 2026
Phones / Laptops Product launches

Galaxy S26 Edge’s Return in Doubt After Indian Certification Listing Sparks Debate

January 5, 2026