CVE-2025-53376
📋 TL;DR
CVE-2025-53376 is a command injection vulnerability in Dokploy that allows authenticated low-privileged users to execute arbitrary operating system commands on the host server. The vulnerability occurs when user-supplied input is improperly sanitized before being passed to Docker CLI commands. This affects all Dokploy instances with authenticated users.
💻 Affected Systems
- Dokploy
📦 What is this software?
Dokploy by Dokploy
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Dokploy host server, allowing attackers to install malware, exfiltrate data, pivot to other systems, or establish persistent backdoors.
Likely Case
Attackers gain shell access to the Dokploy host, potentially compromising all applications and databases managed by the platform.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented, though the Dokploy service account would still be compromised.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in a documented API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.23.7
Vendor Advisory: https://github.com/Dokploy/dokploy/security/advisories/GHSA-m486-7pmj-8cmv
Restart Required: Yes
Instructions:
1. Backup your Dokploy configuration and data. 2. Stop the Dokploy service. 3. Update to version 0.23.7 using your deployment method (Docker, direct install, etc.). 4. Restart the Dokploy service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict User Access
allTemporarily remove or disable all non-essential user accounts in Dokploy until patching can be completed.
Network Segmentation
allIsolate the Dokploy host from other critical systems to limit potential lateral movement.
🧯 If You Can't Patch
- Implement strict network access controls to limit which users can reach the Dokploy interface
- Monitor all Docker commands executed by the Dokploy service account for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check your Dokploy version. If it's below 0.23.7 and you have authenticated users, you are vulnerable.Check Version:
docker exec dokploy dokploy --version or check the Dokploy web interface settings pageVerify Fix Applied:
After updating to 0.23.7, verify the version and test that the docker.getContainersByAppNameMatch endpoint properly sanitizes input.📡 Detection & Monitoring
Log Indicators:
- Unusual Docker commands from Dokploy service account
- Multiple failed authentication attempts followed by successful login
- Suspicious command execution in system logs
Network Indicators:
- Unusual outbound connections from Dokploy host
- Traffic to known malicious IPs from Dokploy host
SIEM Query:
source="dokploy" AND (event="docker_command" AND command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")