CVE-2024-10846: 
Docker Compose vulnerability analysis and mitigation

CVE-2024-10846 affects the compose-go library component in versions v2.10-v2.4.0. The vulnerability was discovered and disclosed on January 23, 2025, impacting Docker Compose versions v2.27.0 to v2.29.7. This security issue allows authorized users to submit malicious YAML payloads that can cause excessive resource consumption (NVD, GitHub Advisory).

The vulnerability is classified as an Improper Input Validation (CWE-20) issue. When processing YAML payloads, the compose-go library can be forced to consume excessive amounts of Memory and CPU cycles during the parsing phase. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H, indicating local access is required and the impact is primarily on system availability (NVD).

The primary impact of this vulnerability is on system availability. When exploited, the vulnerability can lead to excessive consumption of system resources (Memory and CPU), potentially affecting the performance and stability of systems running affected versions of Docker Compose (GitHub Advisory).

The vulnerability has been patched in compose-go version v2.4.1. There are no known workarounds for this vulnerability, and users are advised to upgrade to the patched version (GitHub Advisory).