Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure
docker.getContainersByAppNameMatch interpolates the attacker-supplied appName value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. This vulnerability is fixed in 0.23.7.
CVSS
No CVSS.
References
Configurations
No configuration.
History
08 Jul 2025, 16:18
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
07 Jul 2025, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-07-07 16:15
Updated : 2025-07-08 16:18
NVD link : CVE-2025-53376
Mitre link : CVE-2025-53376
CVE.ORG link : CVE-2025-53376
JSON object : View
Products Affected
No product.
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')