CVE-2025-62725 is a path traversal vulnerability (CWE-22) in Docker Compose that stems from improper validation of pathname inputs embedded within remote OCI compose artifacts. Specifically, when Docker Compose processes layers containing the annotations 'com.docker.compose.extends' or 'com.docker.compose.envfile', it concatenates attacker-controlled values from 'com.docker.compose.file' or 'com.docker.compose.envfile' with its local cache directory path. This concatenation lacks sufficient sanitization, allowing an attacker to escape the intended cache directory boundary and write files arbitrarily on the host filesystem. This flaw affects all platforms and workflows that resolve remote OCI compose artifacts, including Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, and cloud development environments. Notably, exploitation does not require elevated privileges or authentication, and can be triggered even by running read-only commands such as 'docker compose config' or 'docker compose ps'. The vulnerability can lead to arbitrary file overwrite, potentially resulting in code execution, privilege escalation, or denial of service by corrupting critical system or application files. The vulnerability was publicly disclosed on October 27, 2025, with a CVSS 4.0 score of 8.9, indicating a high severity level. The issue is resolved in Docker Compose version 2.40.2, which includes proper validation and sanitization of path inputs to prevent directory traversal. No known exploits are currently reported in the wild, but the ease of exploitation and impact warrant immediate attention.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of systems running Docker Compose versions prior to 2.40.2. Organizations relying on Docker Compose for local development, CI/CD pipelines, or cloud-based development environments could have their host systems compromised by attackers who craft malicious OCI compose artifacts. The ability to overwrite arbitrary files without authentication or elevated privileges means attackers could implant backdoors, modify configuration files, or disrupt services, leading to data breaches, service outages, or lateral movement within networks. Given the widespread adoption of Docker and containerization technologies across European enterprises, especially in technology, finance, and manufacturing sectors, the potential impact is broad. Additionally, the vulnerability affects cloud development environments and CI/CD runners, which are critical for continuous integration and deployment workflows, increasing the risk of supply chain attacks. The lack of known exploits in the wild provides a window for proactive mitigation but also underscores the urgency to patch before exploitation occurs.

1. Upgrade all Docker Compose installations to version 2.40.2 or later immediately to ensure the vulnerability is patched. 2. Implement strict validation and sanitization of any remote OCI compose artifacts before use, especially those sourced from untrusted or external repositories. 3. Restrict access to Docker Compose cache directories and enforce least privilege principles on systems running Docker Compose to limit the impact of potential file overwrites. 4. Monitor CI/CD pipelines and cloud development environments for unusual file modifications or unexpected Docker Compose activity. 5. Employ network segmentation and access controls to limit exposure of development and build environments to untrusted networks. 6. Educate developers and DevOps teams about the risks of using unverified remote OCI artifacts and encourage use of trusted artifact registries. 7. Integrate security scanning tools that can detect path traversal or suspicious annotations in OCI artifacts as part of the build and deployment process. 8. Maintain up-to-date backups of critical configuration and system files to enable rapid recovery if exploitation occurs.