This issue affects Docker CLI through 29.1.5
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user.
This issue affects Docker CLI through v29.1.5 (fixed in v29.2.0). It impacts Windows binaries acting as a CLI plugin manager via the github.com/docker/cli/cli-plugins/manager package, which is consumed by downstream projects such as Docker Compose.
Docker Compose became affected starting in v2.31.0, when it incorporated the relevant CLI plugin manager code (see https://github.com/docker/compose/pull/12300), and is fixed in v5.1.0.
This issue does not impact non-Windows binaries or projects that do not use the plugin manager code.
Fixed version starts with 29.2.0
This issue was fixed in https://github.com/docker/cli/commit/13759330b1f7e7cb0d67047ea42c5482548ba7fa (https://github.com/docker/cli/pull/6713), which removed %PROGRAMDATA%\Docker\cli-plugins from the list of paths used for plugin-discovery on Windows.
None
Nitesh Surana (niteshsurana.com) of Trend Research of TrendAI
| Score | Percentile |
|---|---|
| 0.02% | 6.09% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.0 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-p436-gjf2-799p ↗ |
| CVE | CVE-2025-15558 ↗ |
| CWE id | Name |
|---|---|
| CWE-427 | Uncontrolled Search Path Element |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/docker/cli | >= 19.03.0, < 29.2.0 | 29.2.0 | — |