CVE-2025-62725: When a 'harmless' command in Docker Compose turns into a system-wide backdoor
A critical vulnerability has been discovered in Docker Compose, allowing attackers to easily take control of the server system.
An Overview of Docker Compose
For those who don't know, Docker Compose is a tool that comes with Docker, helping users define and manage multiple containers in an application with a single configuration file. Simply put, instead of running multiple complex docker run commands to start each container, Docker Compose allows users to:
Describe the entire application architecture (web server, database, cache, message queue, etc.) in a YAML file.
Start, stop, and manage all containers with a single command.
And of course, with features like these, Docker Compose has many outstanding advantages:
Quick deployment of multi-component applications.
Easy management of configurations with a single YAML file.
Reusable environments - ideal for development or testing.
Good integration with Docker Swarm, CI, and CD pipelines.
Vulnerability Context
Due to the outstanding advantages of Docker Compose, attackers and security experts are always looking for ways to exploit its weaknesses. Recently, a very serious vulnerability was discovered with the identifier: CVE-2025-62725, posing a threat to millions of users as well as the global DevOps and security community. This flaw allows an attacker to overwrite arbitrary files on the server system through specially crafted OCI packages, even without launching any containers.
The concerning point is that even when users only run "read-only" commands like docker compose ps or docker compose config, without starting a container, they can still be exploited—because the process of handling remote artifacts also triggers the faulty code. Therefore, this vulnerability is significant in DevOps/CI/CD environments, where Docker Compose is widely used, and it proves that "just including YAML from remote" can lead to "system compromise."
Affected Version
- This vulnerability affects all versions of Docker Compose before v2.40.2.
Vulnerability Description
Vulnerability Code: CVE-2025-62725
CVSS Score: 8.9/10, indicating a high level of severity.
Attack Mechanism: This vulnerability can allow an attacker to perform Path Traversal, disclose sensitive information, or corrupt data.
Consequences:
Information Leakage and Data Corruption: An attacker can view sensitive files or insert malicious content into them.
Execution of Path Traversal
Details on how to exploit
As mentioned, this vulnerability exists due to a new feature recently shared by Docker Compose. This feature supports OCI-based Compose artifacts, allowing developers to download and use Compose files from remote repositories to increase flexibility and portability. However, because of this, an attacker can create a Tiny OCI Registry PoC (a very small HTTP server simulating the /v2 registry API) that returns an OCI/Compose artifact manifest with a layer containing the annotation com.docker.compose.file pointing to a path traversal ("../../../../../../../tmp/pwnd").
After creating a fake OCI registry containing the Compose artifact, the attacker will trick the user into running any Compose command in a directory where docker-compose.yaml specifies an include to the malicious artifact.
When the command runs, the CLI will download the artifact from the attacker's registry—revealing the victim's IP to the attacker—and write a YAML fragment outside the cache directory, for example, into ~/.ssh/authorized_keys, injecting the attacker's public key to gain SSH access to the host, without actually starting any container. At this point, the attacker can maintain RCE on the target system or keep a backdoor.
Finally, once the vulnerability is successfully exploited, the attacker can easily perform actions such as:
Write arbitrary files outside the cache
Install a backdoor
Gain control over the account running Compose (local privilege escalation)
Access sensitive information (confidential data access)
Lateral movement within the network
Contaminate the DevOps supply chain
Conclusion
The vulnerability CVE-2025-62725 reminds us once again that in the DevOps world, dangers don't just come from malware, but also from seemingly harmless configuration lines. A simple command like docker compose ps—which is only used to observe the container's status—can become the starting point for taking over the entire system if it falls into the hands of a sophisticated attacker.
This incident shows that the line between "utility" and "risk" in infrastructure automation is becoming increasingly thin. Security is not just about applying patches, but also about proactive defense thinking: controlling the source of artifacts, limiting execution rights, and monitoring every unusual behavior, no matter how small.
Recommendations
Update Version
Mandatory upgrade to Docker Compose ≥ v2.40.2 (vulnerability patched).
Check the current version
If < 2.40.2, upgrade:
In the CI/CD environment (Jenkins, GitLab, GitHub Actions, etc.): update the image or runner base image to a version with the new Compose.
Run Docker Compose with minimal privileges
Do not run Compose with
sudounless necessary.Create a separate user for Docker (not in the
rootgroup).Use
--env-fileor.envas read-only, do not allow overwriting from artifacts.If the system allows, use SELinux/AppArmor profile to restrict Compose CLI from writing outside the allowed directory.
Limit "remote include"
Do not include YAML from the Internet or uncontrolled registries.
Use internal artifacts or mirror registries with verified checksums.
Set up a whitelist registry in the CI/CD configuration, for example, only allow internal domains.
If you must include remote, then:
Use HTTPS + artifact signature validation.
Use a script to verify the SHA256 hash of the YAML before running.
Security awareness training
Train DevOps & Developers:
Do not trust YAML/Compose files downloaded from GitHub or Pastebin.
Only use compose files from internal or verified repositories.
Explain that commands like “docker compose ps” or “docker compose config” can also exploit vulnerabilities, not just “docker compose up”.
