Docker was affected by CVE-2025-62725, a critical path traversal vulnerability in Docker Compose (fixed in v2.40.2) that allowed attackers to escape the tool’s cache directory and write arbitrary files on the host system by exploiting malicious OCI-based Compose artifacts. The flaw stemmed from improper handling of layer annotations, enabling attackers to traverse outside the intended directory and overwrite files where the Compose process had write permissions. This posed a severe risk to workflows relying on Compose—including CI/CD pipelines, cloud workspaces, and enterprise build systems—potentially leading to unauthorized code execution, system compromise, or supply-chain attacks if exploited. Separately, Docker also patched EUVD-2025-36191, a DLL hijacking vulnerability in its Windows Installer (Desktop Installer.exe), which allowed attackers to escalate privileges by planting malicious DLLs in the user’s Downloads folder. Both flaws underscored the risks of unvalidated input handling and insecure default configurations, reinforcing the need for strict path sanitization and timely updates. While no active exploits were reported, the vulnerabilities exposed millions of Docker users to potential system takeover, data manipulation, or lateral movement within networks if left unpatched.
Source: https://www.theregister.com/2025/10/30/docker_compose_desktop_flaws/
TPRM report: https://www.rankiteo.com/company/docker
"id": "doc2992329103025",
"linkid": "docker",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks: - Attack which causes leak of personal information of customers (only if no ransomware) - Attack by hackers which causes data leak of customer information (only if no ransomware)"{'affected_entities': [{'customers_affected': 'Millions (users of Docker '
'Compose and Docker Desktop)',
'industry': 'Software/Cloud Computing',
'location': 'Global',
'name': 'Docker, Inc.',
'type': 'Organization'}],
'attack_vector': ['Network', 'Local (DLL Hijacking)'],
'customer_advisories': ['Public urging to upgrade immediately'],
'date_detected': '2024-10-01T00:00:00Z',
'description': 'Docker Compose users are being strongly urged to upgrade '
'their versions of the orchestration tool after a researcher '
'uncovered a flaw (CVE-2025-62725, severity 8.9) that could '
'allow attackers to stage path traversal attacks by escaping '
"Compose's cache directory and writing arbitrary files on the "
"host system. The vulnerability was found in the tool's "
'support for OCI-based Compose artifacts, where Compose '
'trusted layer annotations without proper path sanitization. '
'Additionally, Docker fixed a DLL hijacking vulnerability '
'(EUVD-2025-36191, severity 8.8) in its Windows Installer '
'(Desktop Installer.exe), which allowed attackers to gain '
'higher-level system access by placing malicious DLLs in the '
'Downloads folder. Both flaws have been patched in Docker '
'Compose v2.40.2 and Docker Desktop 4.49.0, respectively.',
'impact': {'brand_reputation_impact': 'Moderate (repeated high-severity '
'vulnerabilities in Docker products may '
'erode trust).',
'operational_impact': 'Potential arbitrary file writes on host '
'systems (Compose) or privilege escalation '
'via DLL hijacking (Desktop).',
'systems_affected': ['Docker Compose (OCI artifact processing)',
'Docker Desktop (Windows Installer)']},
'initial_access_broker': {'entry_point': ['Malicious OCI-based Compose '
'artifact (path traversal)',
'Malicious DLL in Downloads folder '
'(DLL hijacking)'],
'high_value_targets': ['Host system files (Compose)',
'Privileged system access '
'(Desktop)']},
'investigation_status': 'Resolved (patches released)',
'lessons_learned': ['Sanitize all file paths, even in seemingly safe formats '
'like YAML.',
'Secure DLL search order to prevent hijacking.',
"Regular updates are critical (aligns with OWASP's Docker "
"security rule: 'Keep Host and Docker up to date')."],
'post_incident_analysis': {'corrective_actions': ['Path '
'normalization/canonicalization '
'in Compose.',
'Secured DLL search order '
'in Desktop Installer.'],
'root_causes': ['Lack of path sanitization in OCI '
'artifact processing (Compose).',
'Insecure DLL search order in '
'Windows Installer (Desktop).']},
'recommendations': ['Upgrade Docker Compose to v2.40.2 or later.',
'Upgrade Docker Desktop to 4.49.0 or later (note: future '
'versions require Windows 10 22H2/Windows 11 23H2).',
'Avoid downloading/untrusted DLLs in system paths.',
'Monitor for unauthorized file writes or privilege '
'escalations.'],
'references': [{'source': 'Imperva Research (Ron Masas)'},
{'source': 'NIST NVD (CVE-2025-62725)'},
{'source': 'ENISA (EUVD-2025-36191)'},
{'source': 'Docker Release Notes (v2.40.2, 4.49.0)'}],
'regulatory_compliance': {'regulatory_notifications': ['NIST (CVE-2025-62725)',
'ENISA '
'(EUVD-2025-36191)']},
'response': {'communication_strategy': ['Public advisories via NIST, ENISA, '
'and vendor release notes.'],
'containment_measures': ['Patches released (Compose v2.40.2, '
'Desktop 4.49.0).'],
'incident_response_plan_activated': True,
'recovery_measures': ['Users urged to upgrade immediately.'],
'remediation_measures': ['Sanitize all file paths in OCI '
'artifact processing (Compose).',
'Secure DLL search order in Windows '
'Installer (Desktop).'],
'third_party_assistance': ['Imperva (researcher Ron Masas)',
'ENISA (for DLL hijacking '
'disclosure)']},
'stakeholder_advisories': ['NIST, ENISA, Docker release notes'],
'title': 'Critical Path Traversal and DLL Hijacking Vulnerabilities in Docker '
'Compose and Docker Desktop',
'type': ['Vulnerability', 'Path Traversal', 'DLL Hijacking'],
'vulnerability_exploited': [{'cve_id': 'CVE-2025-62725',
'description': 'Path traversal vulnerability in '
"Docker Compose's OCI artifact "
'support, allowing arbitrary file '
'writes via crafted layer '
'annotations.',
'severity': 'High (8.9)'},
{'cve_id': 'EUVD-2025-36191',
'description': 'DLL hijacking vulnerability in '
'Docker Desktop Installer.exe due '
'to insecure DLL search order '
"(prioritizing user's Downloads "
'folder).',
'severity': 'High (8.8)'}]}