CVE-2025-62725: Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations

October 27, 2025 (updated November 27, 2025)

Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there.

References

github.com/advisories/GHSA-gv8h-7v7w-r22q
github.com/docker/compose
github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176
github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q
nvd.nist.gov/vuln/detail/CVE-2025-62725

Code Behaviors & Features

Detect and mitigate CVE-2025-62725 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →