CVE-2024-10846

CVSS v3.1

5.9

Medium

Vector

AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions compose-go versions v2.10 through v2.4.0 Docker Compose versions v2.27.0 through v2.29.7

Description The issue allows an authorized user who sends malicious YAML payloads to cause excessive memory and CPU cycle consumption while parsing YAML. This affects the compose-go library, which is used by Docker Compose.

Recommendations For compose-go versions v2.10 through v2.4.0, update to version v2.24.1 to fix the issue. For Docker Compose versions v2.27.0 through v2.29.7, consider updating the underlying compose-go library to version v2.24.1 as a mitigation measure. As a temporary workaround, consider restricting the use of YAML payloads to trusted sources until the issue is resolved.

Fix

DoS

Resource Exhaustion

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-20

Related Identifiers

AZL-55947

CVE-2024-10846

GHSA-36GQ-35J3-P9R9

GO-2025-3412

OPENSUSE-SU-2025:14728-1

OPENSUSE-SU-2025_0429-1

SUSE-SU-2025:0429-1

Affected Products

Docker Compose

Suse

CVE-2024-10846

Weakness Enumeration

Related Identifiers

Affected Products

References · 47