Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attacker needs deploy/cert command access so PR:L; archive can be remotely supplied (AV:N), extraction is deterministic (AC:L), and arbitrary file write to authorized_keys yields full C/I/A.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionNVD
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user - including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.
Articles & Coverage 1
AnalysisAI
Arbitrary file write in Dokku before 0.38.2 lets an attacker with deploy-level access escalate to full shell access on the host. The git:from-archive and certs:add commands extract attacker-supplied tar/zip archives without sanitizing member paths, and because GNU tar creates and then follows symlinks during extraction, a crafted archive can plant files anywhere the dokku user can write - most damagingly ~/.ssh/authorized_keys. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be able to invoke Dokku's git:from-archive or certs:add commands with an attacker-controlled tar/zip archive (PR:L - a deploy or certificate-management user, not an anonymous outsider), and the target must run a version prior to 0.38.2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N, C:H/I:H/A:H, score 8.8) describes a low-privilege, low-complexity, network-reachable flaw with total impact, consistent with the SSVC 'Technical Impact: total' rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user with permission to deploy apps (or to provide an archive URL to git:from-archive) crafts a tar archive whose first entry is a symlink named, say, 'link' that points to /home/dokku/.ssh, followed by an entry 'link/authorized_keys' containing the attacker's public key. When Dokku extracts the archive, GNU tar follows the symlink and writes authorized_keys outside the temp directory, granting the attacker SSH shell access as the dokku user. … |
| Remediation | Vendor-released patch: upgrade to Dokku 0.38.2 or later, which validates archives before extraction and rejects absolute paths, parent-directory (..) traversal, and symlinks pointing outside the extraction directory, as documented in GHSA-j6qq-xg73-ghqg and PR #8591. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Dokku instances and current versions; restrict deploy-level access to essential administrators and automated systems only; review access logs for unauthorized activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39804