Docker fixes serious vulnerabilities in Compose and Desktop Installer

Docker fixes serious vulnerabilities in Compose and Desktop Installer

Briefly

"The bug in Docker Compose was found in October by security researcher Ron Masas of Imperva. Compose is a tool that converts YAML configurations into running container environments and is an important part of countless development and CI/CD processes. Masas discovered that the recent support for OCI-based Compose artifacts did not perform sufficient checks on file locations. When processing these artifacts, Compose relied entirely on the instructions in the so-called layer annotations, which specify where files should be placed."

"By manipulating these annotations, an attacker could cause Compose to store files outside its own cache directory, in locations where the process had write permissions. This created the possibility of overwriting or adding files on the host system. The vulnerability was designated CVE-2025-62725 and given a CVSS score of 8.9. Masas praises the Docker team's quick response, which resolved the issue in Docker Compose version 2.40.2. According to him, this incident underscores the importance of developers always applying path validation, even in simple configurations."

"In addition to the Compose leak, a bug was also discovered in Docker Desktop's Windows Installer. The installer was found to load DLL files from the user's Downloads folder before checking the system folders. This allowed an attacker to place a malicious DLL file with the same name in that folder and execute code with elevated privileges. This vulnerability, registered as CVE-2025-9164 and EUVD-2025-36191, received a CVSS score of 8.8. Docker has fixed the bug in version 4.49.0 of Docker Desktop."