Full Report
Windows Desktop installer also fixed after DLL hijack flaw rated 8.8 severity Docker Compose users are being strongly urged to upgrade their versions of the orchestration tool after a researcher uncovered a flaw that could allow attackers to stage path traversal attacks.…
Analysis Summary
# Vulnerability: Path Traversal in Docker Compose OCI Artifact Processing
## CVE Details
- CVE ID: CVE-2025-62725
- CVSS Score: 8.9 (High)
- CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Segment of a Physical File System - Path Traversal)
## Affected Systems
- Products: Docker Compose
- Versions: Not explicitly listed, but applies to versions prior to the patch included in v2.40.2.
- Configurations: When processing OCI-based Compose artifacts that include untrusted layer annotations.
## Vulnerability Description
A path traversal vulnerability exists in Docker Compose when processing OCI layers. When relying on layer annotations to determine file write locations during artifact processing, Compose performed a simple string concatenation between its local cache directory and the provided annotation path without proper normalization or canonicalization checks. This allowed a maliciously crafted annotation to escape the intended cache directory, enabling an attacker to write arbitrary files to any location on the host system where the Compose process had write permissions.
## Exploitation
- Status: PoC available (Researcher noted discovery during exploration)
- Complexity: Low (Relies on tricking a user into referencing a malicious remote artifact)
- Attack Vector: Network (via malicious remote artifact reference)
## Impact
- Confidentiality: Potential compromise (Arbitrary file write capability could lead to information disclosure)
- Integrity: High (Arbitrary file write allows modification or replacement of critical system files)
- Availability: Potential compromise (Attacks leading to system file overwrites)
## Remediation
### Patches
- Upgrade Docker Compose to **v2.40.2** or later.
### Workarounds
- No specific workarounds were detailed beyond immediate upgrading, as the issue lies in fundamental input handling during artifact processing.
## Detection
- Monitoring for unusual file write operations originating from the Docker Compose process outside of expected caching directories during artifact processing.
- Reviewing logs for unexpected file system changes corresponding to user execution of `docker compose` against untrusted remote artifacts.
## References
- [Imperva Blog on CVE-2025-62725](https://www-imperva-com/blog/cve-2025-62725-from-docker-compose-ps-to-system-compromise/) (Defanged: https://www-imperva-com/blog/cve-2025-62725-from-docker-compose-ps-to-system-compromise/)
***
# Vulnerability: DLL Hijacking in Docker Desktop Windows Installer
## CVE Details
- CVE ID: EUVD-2025-36191
- CVSS Score: 8.8 (High)
- CWE: CWE-426 (Untrusted Search Path)
## Affected Systems
- Products: Docker Desktop Windows Installer (Desktop Installer.exe)
- Versions: Versions prior to Docker Desktop **4.49.0**.
- Configurations: Windows OS where the installer is run.
## Vulnerability Description
The Docker Desktop Windows Installer (`Desktop Installer.exe`) suffers from an insecure DLL search order vulnerability. The installer searches for required DLLs in the user's `Downloads` folder *before* checking standard, secure system directories. This allows an attacker to place a malicious DLL file in a location searched sooner by the installer, causing the installer (which runs with elevated privileges) to load and execute the malicious code, leading to higher-level system access.
## Exploitation
- Status: Assumed unexploited in the wild (Focus is on remediation)
- Complexity: Medium (Requires placing a malicious DLL in a specific, accessible path before installation/execution)
- Attack Vector: Local (Requires interaction with the installer execution flow)
## Impact
- Confidentiality: High (Potential for code execution with elevated installer privileges)
- Integrity: High (Potential for system state modification)
- Availability: Potential compromise
## Remediation
### Patches
- Upgrade to Docker Desktop **4.49.0** or later.
### Workarounds
- Ensure that only trusted installers are executed.
- Temporarily restrict write access to common user download folders if upgrades cannot be immediately performed, although this is a blunt measure.
## Detection
- Monitoring processes executing `Desktop Installer.exe` and checking for unexpected dynamic library loading activities from user-writable temporary directories.
## References
- [ENISA Vulnerability Database Entry](https://euvd-enisa-europa-eu/vulnerability/EUVD-2025-36191) (Defanged: https://euvd-enisa-europa-eu/vulnerability/EUVD-2025-36191)