CVE-2025-53825
📋 TL;DR
CVE-2025-53825 is an unauthenticated remote code execution vulnerability in Dokploy's preview deployment feature. Any user can trigger arbitrary code execution and access sensitive environment variables by opening a pull request on a public repository. This affects all public Dokploy users using preview deployments prior to version 0.24.3.
💻 Affected Systems
- Dokploy
📦 What is this software?
Dokploy by Dokploy
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the Dokploy instance, accessing all secrets and environment variables, and potentially pivoting to other systems.
Likely Case
Unauthenticated attackers exfiltrate sensitive environment variables (API keys, database credentials) and execute arbitrary commands on the Dokploy host.
If Mitigated
If network segmentation and strict access controls are in place, impact may be limited to the Dokploy instance itself.
🎯 Exploit Status
Exploitation requires only opening a pull request on a public repository - no authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.24.3
Vendor Advisory: https://github.com/Dokploy/dokploy/security/advisories/GHSA-h67g-mpq5-6ph5
Restart Required: Yes
Instructions:
1. Stop Dokploy service. 2. Update to version 0.24.3 using your deployment method (Docker, manual). 3. Restart Dokploy service. 4. Verify the fix by checking version.
🔧 Temporary Workarounds
Disable preview deployments for public repositories
allTemporarily disable preview deployment functionality for public repositories until patching can be completed.
Modify Dokploy configuration to disable preview deployments or restrict to private repositories only
🧯 If You Can't Patch
- Disable preview deployment feature entirely in Dokploy configuration
- Implement network segmentation to isolate Dokploy instance from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check if Dokploy version is below 0.24.3 and preview deployments are enabled for public repositories.Check Version:
docker exec dokploy dokploy --version or check Dokploy web interface versionVerify Fix Applied:
Confirm Dokploy version is 0.24.3 or higher and test that unauthenticated pull requests no longer trigger preview deployments.📡 Detection & Monitoring
Log Indicators:
- Unexpected preview deployment triggers from unauthenticated sources
- Unusual process execution from Dokploy containers
- Access to environment variables from unauthorized sources
Network Indicators:
- Unusual outbound connections from Dokploy instance
- Data exfiltration patterns from the Dokploy host
SIEM Query:
source="dokploy" AND (event="preview_deployment" OR event="pull_request") AND user="unauthenticated"