{"id":"CVE-2025-15558","summary":"Docker Desktop Docker Plugins Uncontrolled Search Path Element Local Privilege Escalation Vulnerability","details":"Docker CLI for Windows searches for plugin binaries in C:\\ProgramData\\Docker\\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user.\n\nThis issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the  github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager  package, such as Docker Compose.\n\nThis issue does not impact non-Windows binaries, and projects not using the plugin-manager code.","aliases":["BIT-docker-cli-2025-15558","GHSA-p436-gjf2-799p","GO-2026-4610"],"modified":"2026-05-18T05:56:14.276701239Z","published":"2026-03-04T16:14:32.045Z","related":["CGA-6mmj-5xc7-26c2","SUSE-SU-2026:1042-1","openSUSE-SU-2026:10369-1","openSUSE-SU-2026:10684-1"],"database_specific":{"cwe_ids":["CWE-427"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/15xxx/CVE-2025-15558.json","cna_assigner":"Docker"},"references":[{"type":"WEB","url":"https://docs.docker.com/desktop/release-notes/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/15xxx/CVE-2025-15558.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-15558"},{"type":"ADVISORY","url":"https://www.zerodayinitiative.com/advisories/ZDI-CAN-28304/"},{"type":"FIX","url":"https://github.com/docker/cli/pull/6713"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/docker/cli","events":[{"introduced":"0"},{"fixed":"0e6fee6c52f761dc79dc4bf712ea9fe4095c9bd2"}]}],"versions":["v29.1.3","v29.1.2","v29.1.1","v29.1.0","v29.0.4","v29.0.3","v29.1.0-rc.1","v29.0.2","v29.0.1","v29.0.0","v29.0.0-rc.3","v29.0.0-rc.2","v29.0.0-rc.1","v28.3.3","v28.3.2","v28.3.1","v28.3.0","v28.3.0-rc.2","v28.3.0-rc.1","v28.2.2","v28.2.1","v28.2.0","v28.2.0-rc.2","v28.2.0-rc.1","v28.1.1","v28.1.0","v28.1.0-rc.2","v28.1.0-rc.1","v28.0.4","v28.0.3","v28.0.2","v28.0.1","v28.0.0","v28.0.0-rc.3","v28.0.0-rc.2","v28.0.0-rc.1","v27.0.1","v27.0.1-rc.1","v27.0.0-rc.2","v27.0.0-rc.1","v26.1.0","v26.0.0","v26.0.0-rc3","v26.0.0-rc2","v26.0.0-rc1","v25.0.0","v25.0.0-rc.3","v25.0.0-rc.2","v25.0.0-rc.1","v25.0.0-beta.3","v25.0.0-beta.2","v25.0.0-beta.1","v24.0.0-rc.2","v24.0.0-rc.1","v24.0.0-beta.2","v24.0.0-beta.1","v23.0.0-rc.4","v23.0.0","v23.0.0-rc.3","v23.0.0-rc.2","v23.0.0-rc.1","v23.0.0-beta.1","v22.06.0-beta.0","v20.10.2","v20.10.1","v20.10.0","v20.10.0-rc2","v20.10.0-rc1","v20.10.0-beta1","v19.03.0-beta3","v19.03.0-beta2","v19.03.0-beta1","v18.09.0-ce-tp4","v18.09.0-ce-tp3","v18.09.0-ce-tp0","v18.06.0-ce-rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-15558.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U"}]}