Docker Compose Patched for Path Traversal Vulnerability in Remote Files

by

Modernizing Tech
,

A new high-severity vulnerability has been disclosed in Docker Compose, identified as a path traversal flaw in how the tool handles remote OCI (Open Container Initiative) artifacts. The issue, published under advisory GHSA-gv8h-7v7w-r22q, could allow attackers to overwrite arbitrary files on a host system running vulnerable versions of Docker Compose.

The flaw was reported and patched within the past week, with Docker releasing v2.40.2 as the fixed version.

All Docker Compose versions earlier than v2.40.2 are vulnerable. The impact extends to multiple environments and workflows, including:

  • Docker Desktop
  • Standalone Compose binaries on Linux
  • CI/CD runners
  • Cloud-based development environments

Any platform resolving remote OCI Compose artifacts is potentially exposed until updated.

The issue lies in how Docker Compose interprets certain annotations inside OCI artifact layers, particularly:

  • com.docker.compose.extends
  • com.docker.compose.envfile

When Compose processes these annotations, it trusts attacker-supplied paths embedded in fields like com.docker.compose.file or com.docker.compose.envfile. These values are joined with the local cache directory — allowing a crafted artifact to traverse outside the cache and overwrite arbitrary files on the host.

Critically, this can occur even when users run read-only commands such as:

docker compose config
docker compose ps

If those commands reference a malicious OCI artifact, they could still trigger the exploit.

The Fix

Docker has addressed the issue in Compose v2.40.2, which properly validates and restricts path resolution from remote annotations.
There are no documented workarounds, so upgrading is strongly recommended.

You can verify and update your version using the “docker compose version” command.

If below 2.40.2:

  • sudo apt-get update && sudo apt-get install docker-compose-plugin

or by following the official installation instructions for your system.

This vulnerability highlights how even trusted DevOps tools can become attack vectors when handling external resources like OCI artifacts. Teams using Docker Compose in build pipelines, CI/CD runners, or shared environments should upgrade to v2.40.2 immediately and review any workflows that fetch remote artifacts.

For more details, see Docker Compose’s advisory and patch information on GitHub here.

Comments Section

Leave a Reply

Your email address will not be published. Required fields are marked *


,

Related Articles

Back to Top - Modernizing Tech