On 28/10/2025 20:38, Salvatore Bonaccorso wrote:
Source: docker-compose
Version: 2.32.4-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for docker-compose.
CVE-2025-62725[0]:
| Docker Compose trusts the path information embedded in remote OCI
| compose artifacts. When a layer includes the annotations
| com.docker.compose.extends or com.docker.compose.envfile, Compose
| joins the attacker‑supplied value from
| com.docker.compose.file/com.docker.compose.envfile with its local
| cache directory and writes the file there. This affects any platform
| or workflow that resolves remote OCI compose artifacts, Docker
| Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud
| dev environments is affected. An attacker can escape the cache
| directory and overwrite arbitrary files on the machine running
| docker compose, even if the user only runs read‑only commands such
| as docker compose config or docker compose ps. This issue is fixed
| in v2.40.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-62725
https://www.cve.org/CVERecord?id=CVE-2025-62725
[1] https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q
[2]
https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
I started to look at this, and from what I see in the referenced commit
that fixes this [2]: The two features based on "annotations" where the
new validatePathInBase() is used before creating files [line 221] and
[line 245] are not existing prior to v2.33.0, as they have been added
respectively in [66a4716] (since v2.34.0) and [8402888] (since v2.33.0).
I would like to have another look, but IMO it can safely be restrained
to a narrower range of versions.
[line 221]
https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6R221
[line 245]
https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6R245
[66a4716]
https://github.com/docker/compose/commit/66a47169d51ef4be5e230dda982661248b20f60a#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6L160-R167
[8402888]
https://github.com/docker/compose/commit/840288895e673fcccd56a7830dee30d8a75523ef#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6R184-R196
--
Nicolas Peugnet
