CVE-2025-53376
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-09-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dokploy | dokploy | to 0.23.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53376 is a vulnerability in Dokploy where an authenticated, low-privileged user can execute arbitrary operating system commands on the Dokploy host. This happens because the tRPC procedure docker.getContainersByAppNameMatch directly inserts the attacker-controlled appName parameter into a Docker CLI command without sanitization, enabling command injection under the Dokploy service account. The vulnerability was fixed in version 0.23.7 by adding input validation and authorization checks. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows a low-privileged authenticated user to run arbitrary OS commands on the Dokploy host, which could lead to unauthorized access, data compromise, service disruption, or further exploitation of the host system. Since the commands run under the Dokploy service account, an attacker could potentially manipulate the host environment or access sensitive information. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Dokploy installation is running a version prior to 0.23.7 and if the tRPC procedure docker.getContainersByAppNameMatch is accessible to authenticated low-privileged users. Since the vulnerability involves command injection via the appName parameter, you can attempt to test this by sending a request to the vulnerable procedure with a crafted appName containing command injection payloads and observe if arbitrary OS commands are executed. Specific detection commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Dokploy to version 0.23.7 or later, where the vulnerability is fixed by applying input validation and authorization checks. Additionally, ensure that only authorized users have access to the Dokploy service and monitor for any unauthorized access attempts. The fix includes strict input validation on appName and server authorization checks to prevent command injection and unauthorized resource access. [1, 2]