CVE-2025-53376

Name of the Vulnerable Software and Affected Versions: Dokploy versions prior to 0.23.7

Description: Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attacker-supplied appName value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account.

Recommendations: For versions prior to 0.23.7, update to version 0.23.7 to fix the issue. As a temporary workaround, consider restricting access to the docker.getContainersByAppNameMatch procedure to prevent command injection attacks.