CVE-2025-62725: 
Docker Compose vulnerability analysis and mitigation

CVE-2025-62725 is a path traversal vulnerability discovered in Docker Compose that affects versions prior to v2.40.2. The vulnerability was disclosed on October 27, 2025, and stems from Docker Compose trusting path information embedded in remote OCI compose artifacts. When a layer includes specific annotations (com.docker.compose.extends or com.docker.compose.envfile), Compose joins the attacker-supplied value with its local cache directory and writes the file there (GitHub Advisory).

The vulnerability is classified as a path traversal issue (CWE-22) with a CVSS v4.0 base score of 8.9 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but active user interaction (UI:A). The vulnerability allows for high impacts on confidentiality, integrity, and availability for both vulnerable and subsequent systems (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) (GitHub Advisory).

The vulnerability affects any platform or workflow that resolves remote OCI compose artifacts, including Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, and cloud dev environments. An attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even when users only execute read-only commands such as 'docker compose config' or 'docker compose ps' (GitHub Advisory).

The vulnerability has been patched in Docker Compose version v2.40.2. Users are advised to upgrade to this version or later to mitigate the risk. No alternative workarounds have been provided (GitHub Advisory).