Warning: High-Severity Path Traversal Vulnerability in Docker Compose, Patch Immediately!

• Last update: 30-10-2025
• Affected software:
  → Docker Compose <v2.40.2
• Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• CVE/CVSS
  → CVE-2025-62725: CVSS-B 8.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)

Sources

https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q
https://gist.github.com/masasron/874359f4c5a771332bffcc147a812432

Risks

An 8.9 high-severity vulnerability (CVE-2025-62725) exists in Docker Compose. If left unpatched, affected instances are vulnerable to path traversal attacks with possible high impact on confidentiality, integrity and availability of data.

No information is available that the aforementioned vulnerability is actively exploited, however a proof of concept (PoC) exploit has been publicly shared on GitHub.

CVE-2025-62725 is patched in v2.40.2.

Description

CVE-2025-62725 is an "Improper Limitation of a Pathname to a Restricted Directory" type of vulnerability in Docker Compose versions below v2.40.2 and could allow attackers to escape the cache directory and overwrite arbitrary files on the machine running Docker Compose, even if the user only runs read‑only commands.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-62725