What is the CVSS score of EUVD-2025-21402?

EUVD-2025-21402 has a CVSS 3.1 base score of 9.4 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.6%.

Which versions of Dokploy are affected by EUVD-2025-21402?

Dokploy versions prior to 0.24.3 contain a critical vulnerability allowing unauthenticated attackers to execute arbitrary code and steal sensitive environment variables through pull requests on…. A patch is available.

How to fix or mitigate EUVD-2025-21402?

Within 24 hours: Identify all Dokploy instances in your environment and verify current versions. Within 7 days: Upgrade all affected Dokploy deployments to version 0.24.3 or later; if immediate patching is not possible, disable preview deployments temporarily. Within 30 days: Conduct security audit of exposed systems, rotate all environment variables and secrets that may have been accessed, and review pull request activity logs for suspicious access patterns.

Dokploy EUVD-2025-21402

| CVE-2025-53825 CRITICAL

Missing Authorization (CWE-862)

2025-07-14 security-advisories@github.com

RCE Dokploy

9.4

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.4 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 09:43 euvd

EUVD-2025-21402

Analysis Generated

Mar 16, 2026 - 09:43 vuln.today

Patch released

Mar 16, 2026 - 09:43 nvd

Patch available

CVE Published

Jul 14, 2025 - 23:15 nvd

CRITICAL 9.4

DescriptionGitHub Advisory

Dokploy is a free, self-hostable Platform as a Service (PaaS). Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This exposes secrets and potentially enables remote code execution, putting all public Dokploy users using these preview deployments at risk. Version 0.24.3 contains a fix for the issue.

AnalysisAI

CVE-2025-53825 is a critical unauthenticated remote code execution vulnerability in Dokploy versions prior to 0.24.3, where attackers can execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This vulnerability affects all public Dokploy instances utilizing preview deployments and carries a CVSS score of 9.4 (Critical), with no authentication or user interaction required, making it immediately exploitable by any network-adjacent attacker.

Technical ContextAI

The vulnerability stems from improper access control (CWE-862: Missing Authorization) in Dokploy's preview deployment feature, a common PaaS capability that automatically deploys code from pull requests for testing. The flaw allows unauthenticated users to trigger deployment workflows without proper authorization checks, exposing the preview environment's execution context—including environment variables containing secrets, API keys, and database credentials. The root cause is insufficient authorization validation on the preview deployment endpoint, failing to verify that the requester has legitimate access to the repository or deployment configuration before executing the deployment pipeline. Dokploy is a self-hostable PaaS platform (CPE would be: cpe:2.3:a:dokploy:dokploy:*:*:*:*:*:*:*:*), and versions prior to 0.24.3 are affected.

RemediationAI

{'type': 'Patch', 'action': 'Upgrade Dokploy to version 0.24.3 or later immediately', 'priority': 'Critical', 'details': 'The fixed version (0.24.3) implements proper authorization checks on preview deployment endpoints to ensure only authenticated and authorized users can trigger deployments.'} {'type': 'Temporary Mitigation', 'action': 'Disable preview deployments feature if not immediately patchable', 'details': 'Temporarily disable the preview deployment functionality in Dokploy settings to prevent exploitation until patch is applied.'} {'type': 'Temporary Mitigation', 'action': 'Restrict repository access', 'details': 'Make repositories private or restrict pull request permissions to trusted collaborators only, reducing the attack surface.'} {'type': 'Temporary Mitigation', 'action': 'Rotate secrets and credentials', 'details': 'Immediately rotate all environment variables, API keys, database credentials, and other secrets exposed through preview deployments, as they may have been accessed by attackers.'} {'type': 'Detection', 'action': 'Monitor deployment logs', 'details': 'Review Dokploy logs for unexpected preview deployments triggered from unknown or untrusted pull requests prior to patching.'}

EUVD-2025-21402 vulnerability details – vuln.today

Back