{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-62725","title":"Title"},{"category":"description","text":"Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker-supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there. This affects any platform or workflow that resolves remote OCI compose artifacts, Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud dev environments is affected. An attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read-only commands such as docker compose config or docker compose ps. This issue is fixed in v2.40.2.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-62725","url":"https://www.suse.com/security/cve/CVE-2025-62725"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1252752 for CVE-2025-62725","url":"https://bugzilla.suse.com/1252752"}],"title":"SUSE CVE CVE-2025-62725","tracking":{"current_release_date":"2026-03-11T16:53:08Z","generator":{"date":"2025-10-29T00:23:15Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-62725","initial_release_date":"2025-10-29T00:23:15Z","revision_history":[{"date":"2025-10-29T00:23:15Z","number":"2","summary":"Current version"},{"date":"2025-11-09T00:23:17Z","number":"3","summary":"Current version"},{"date":"2025-12-17T00:26:59Z","number":"4","summary":"description changed"},{"date":"2025-12-19T00:26:47Z","number":"5","summary":"description changed"},{"date":"2026-03-08T00:28:02Z","number":"6","summary":"unknown changes"},{"date":"2026-03-11T16:53:08Z","number":"7","summary":"more updates released"}],"status":"interim","version":"7"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Micro 6.0","product":{"name":"SUSE Linux Micro 6.0","product_id":"SUSE Linux Micro 6.0","product_identification_helper":{"cpe":"cpe:/o:suse:sl-micro:6.0"}}},{"category":"product_name","name":"SUSE Linux Micro 6.1","product":{"name":"SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1","product_identification_helper":{"cpe":"cpe:/o:suse:sl-micro:6.1"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"docker-compose","product":{"name":"docker-compose","product_id":"docker-compose","product_identification_helper":{"purl":"pkg:rpm/suse/docker-compose@?upstream=docker-compose.src.rpm"}}},{"category":"product_version","name":"docker-compose-2.33.1-slfo.1.1_2.1","product":{"name":"docker-compose-2.33.1-slfo.1.1_2.1","product_id":"docker-compose-2.33.1-slfo.1.1_2.1","product_identification_helper":{"purl":"pkg:rpm/suse/docker-compose@2.33.1-slfo.1.1_2.1?upstream=docker-compose-2.33.1-slfo.1.1_2.1.src.rpm"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20251105T184115-1.1","product":{"name":"govulncheck-vulndb-0.0.20251105T184115-1.1","product_id":"govulncheck-vulndb-0.0.20251105T184115-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20251105T184115-1.1?upstream=govulncheck-vulndb-0.0.20251105T184115-1.1.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"docker-compose-2.33.1-slfo.1.1_2.1 as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:docker-compose-2.33.1-slfo.1.1_2.1"},"product_reference":"docker-compose-2.33.1-slfo.1.1_2.1","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20251105T184115-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1"},"product_reference":"govulncheck-vulndb-0.0.20251105T184115-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"docker-compose as component of SUSE Linux Micro 6.0","product_id":"SUSE Linux Micro 6.0:docker-compose"},"product_reference":"docker-compose","relates_to_product_reference":"SUSE Linux Micro 6.0"}]},"vulnerabilities":[{"cve":"CVE-2025-62725","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-62725"}],"notes":[{"category":"general","text":"Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker-supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there. This affects any platform or workflow that resolves remote OCI compose artifacts, Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud dev environments is affected. An attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read-only commands such as docker compose config or docker compose ps. This issue is fixed in v2.40.2.","title":"CVE description"}],"product_status":{"known_affected":["SUSE Linux Micro 6.0:docker-compose"],"recommended":["SUSE Linux Micro 6.1:docker-compose-2.33.1-slfo.1.1_2.1","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1"]},"references":[{"category":"external","summary":"CVE-2025-62725","url":"https://www.suse.com/security/cve/CVE-2025-62725"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1252752 for CVE-2025-62725","url":"https://bugzilla.suse.com/1252752"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Micro 6.1:docker-compose-2.33.1-slfo.1.1_2.1","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1"]}],"scores":[{"cvss_v3":{"baseScore":8.3,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Linux Micro 6.1:docker-compose-2.33.1-slfo.1.1_2.1","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1"]}],"threats":[{"category":"impact","date":"2025-10-27T23:02:48Z","details":"important"}],"title":"CVE-2025-62725"}]}