CVE-2025-15558

Aliases:GHSA-p436-gjf2-799pBIT-docker-cli-2025-15558GO-2026-4610
Advisory lineage Upstream: 0 Downstream: 3
Analyzed
Published: 04 Mar 2026, 16:14
Last modified:05 Mar 2026, 04:55

Vulnerability Summary

Overall Risk (default)
medium
32/100
CVSS Score
8 HIGH
v3.1 (nvd)
EPSS Score
0.02% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

04 Mar 2026, 16:14
Published
Vulnerability first disclosed
05 Mar 2026, 04:55
Last Modified
Vulnerability information updated

Description

Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user. This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager  package, such as Docker Compose. This issue does not impact non-Windows binaries, and projects not using the plugin-manager code.

CVSS Metrics

  • v4.0HIGHScore: 7CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U
  • v4.0HIGHScore: 7CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:X/RE:X/U:X
  • v4.0HIGHScore: 7CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • v3.1HIGHScore: 8CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.02% Percentile: 7%

Techniques & Countermeasures

  • CWE-427Uncontrolled Search Path Element

    The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Affected Systems

  • dockercommand_line_interface

    ≤ 29.1.5

  • github.com/dockercli

    < 29.2.0+incompatible | ≥ 19.03.0, < 29.2.0

  • github.com/dockercompose

    all

  • github.com/docker/composev2

    ≥ 2.31.0, ≤ 2.40.3 | ≥ 2.31.0

  • github.com/docker/composev5

    < 5.1.0

References (10)