Docker Compose Bug Lets Hackers Overwrite Any File

A newly disclosed Docker Compose bug lets hackers overwrite arbitrary files on affected systems by exploiting a high-severity path traversal flaw tracked as CVE-2025-62725. The vulnerability, which carries a CVSS v4 score of 8.9, impacts users of Docker Desktop, standalone Compose binaries, and Compose V2 integrations within the Docker CLI. Attackers can abuse the way Docker Compose processes Open Container Initiative (OCI) artifacts to navigate file paths and manipulate system files outside intended directories.

Security researchers identified that the vulnerability stems from improper validation of file paths during the unpacking of OCI artifacts. The Docker Compose bug lets hackers craft malicious packages that overwrite critical files, potentially leading to further system compromise. This issue is one of several recently highlighted vulnerabilities, including CVE-2025-11371 and CVE-2025-54253, underscoring the importance of timely updates.

To learn more about this vulnerability and view mitigation details, read the full report at the following link:

Docker Compose Path Traversal (CVE-2025-62725) Allows Arbitrary File Overwrite via OCI Artifacts