Source: docker-compose Version: 2.32.4-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for docker-compose. CVE-2025-62725[0]: | Docker Compose trusts the path information embedded in remote OCI | compose artifacts. When a layer includes the annotations | com.docker.compose.extends or com.docker.compose.envfile, Compose | joins the attacker‑supplied value from | com.docker.compose.file/com.docker.compose.envfile with its local | cache directory and writes the file there. This affects any platform | or workflow that resolves remote OCI compose artifacts, Docker | Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud | dev environments is affected. An attacker can escape the cache | directory and overwrite arbitrary files on the machine running | docker compose, even if the user only runs read‑only commands such | as docker compose config or docker compose ps. This issue is fixed | in v2.40.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-62725 https://www.cve.org/CVERecord?id=CVE-2025-62725 [1] https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q [2] https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
