CVE-2025-53825
Published: 14 July 2025
Summary
CVE-2025-53825 is a critical-severity Missing Authorization (CWE-862) vulnerability in Dokploy Dokploy. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prohibits unauthorized actions like preview deployments without identification or authentication, preventing unauthenticated RCE and secret exposure.
Enforces approved access authorizations on preview deployment functions, blocking unauthenticated users from executing arbitrary code.
Requires timely remediation of authorization flaws like this CVE through patching, preventing exploitation of preview deployment vulnerabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE on public-facing PaaS (T1190) via missing authorization, enabling arbitrary code execution (T1059) and extraction of secrets from environment variables (T1552).
NVD Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on…
more
a public repository. This exposes secrets and potentially enables remote code execution, putting all public Dokploy users using these preview deployments at risk. Version 0.24.3 contains a fix for the issue.
Deeper analysisAI
CVE-2025-53825 is an unauthenticated preview deployment vulnerability affecting Dokploy, a free self-hostable Platform as a Service (PaaS), in versions prior to 0.24.3. The flaw, tied to CWE-862 (Missing Authorization), enables attackers to execute arbitrary code and access sensitive environment variables through Dokploy's preview deployment feature. It carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its network accessibility, low complexity, and lack of prerequisites.
Any unauthenticated user can exploit this vulnerability by simply opening a pull request on a public repository linked to a Dokploy instance with preview deployments enabled. Successful exploitation allows the attacker to achieve remote code execution (RCE) on the target Dokploy server and extract sensitive secrets from environment variables, compromising the confidentiality, integrity, and limited availability of the affected system. This puts all Dokploy users relying on public preview deployments at significant risk.
The official GitHub security advisory (GHSA-h67g-mpq5-6ph5) and the fixing commit (1977235d313824b9764f1a06785fb7f73ab7eba2) confirm that upgrading to Dokploy version 0.24.3 resolves the issue by addressing the authorization bypass in preview deployments. Security practitioners should immediately patch affected instances and review logs for suspicious pull requests on public repositories.
Details
- CWE(s)