CVE-2025-53376
Published: 07 July 2025
Summary
CVE-2025-53376 is a medium-severity OS Command Injection (CWE-78) vulnerability in Dokploy Dokploy. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Dokploy is a self-hostable Platform as a Service that simplifies deployment and management of applications and databases. CVE-2025-53376 is a command-injection flaw (CWE-78) in the tRPC procedure docker.getContainersByAppNameMatch, which interpolates an attacker-supplied appName value directly into a Docker CLI invocation without sanitization, allowing arbitrary operating-system command execution under the Dokploy service account. The issue affects versions prior to 0.23.7 and carries a CVSS 4.0 score of 6.3 with network attack vector and low-privileged authentication requirements.
An authenticated user with low privileges can supply a malicious appName parameter to the vulnerable procedure and thereby execute arbitrary commands on the underlying host. Successful exploitation grants the attacker confidentiality, integrity, and availability impact on the Dokploy instance while remaining confined to the service account context.
The official GitHub security advisory GHSA-m486-7pmj-8cmv and the associated commit fb5d2bd5b67322f1468e5e4d0d5abcf97517761c confirm that the vulnerability is resolved in release 0.23.7; administrators are advised to upgrade promptly. The EPSS score remains flat at 0.0355 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20270
Vulnerability details
Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attacker-supplied appName…
more
value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. This vulnerability is fixed in 0.23.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in Dokploy's tRPC docker.getContainersByAppNameMatch allows authenticated low-privileged users to execute arbitrary Unix shell commands (T1059.004) on the host as the Dokploy service account, enabling exploitation for privilege escalation (T1068).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.