Cyber Resilience

CVE-2025-53376

MediumRCE

Published: 07 July 2025

Published
07 July 2025
Modified
29 September 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0355 88.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53376 is a medium-severity OS Command Injection (CWE-78) vulnerability in Dokploy Dokploy. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Dokploy is a self-hostable Platform as a Service that simplifies deployment and management of applications and databases. CVE-2025-53376 is a command-injection flaw (CWE-78) in the tRPC procedure docker.getContainersByAppNameMatch, which interpolates an attacker-supplied appName value directly into a Docker CLI invocation without sanitization, allowing arbitrary operating-system command execution under the Dokploy service account. The issue affects versions prior to 0.23.7 and carries a CVSS 4.0 score of 6.3 with network attack vector and low-privileged authentication requirements.

An authenticated user with low privileges can supply a malicious appName parameter to the vulnerable procedure and thereby execute arbitrary commands on the underlying host. Successful exploitation grants the attacker confidentiality, integrity, and availability impact on the Dokploy instance while remaining confined to the service account context.

The official GitHub security advisory GHSA-m486-7pmj-8cmv and the associated commit fb5d2bd5b67322f1468e5e4d0d5abcf97517761c confirm that the vulnerability is resolved in release 0.23.7; administrators are advised to upgrade promptly. The EPSS score remains flat at 0.0355 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attacker-supplied appName…

more

value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. This vulnerability is fixed in 0.23.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Command injection in Dokploy's tRPC docker.getContainersByAppNameMatch allows authenticated low-privileged users to execute arbitrary Unix shell commands (T1059.004) on the host as the Dokploy service account, enabling exploitation for privilege escalation (T1068).

Affected Assets

dokploy
dokploy
≤ 0.23.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References