CVE-2024-10846 MEDIUM

CVE-2024-10846: Excessive Platform Resource Consumption within a Loop when unmarshalling Compose file having recursive loop

Vendor Compose-Spec

Product compose-go

Weakness CWE-20 · Input validation

Published January 23, 2025

Last update April 25, 2025

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included

Key dates

02Disclosure timeline

January 23, 2025 CVE published

April 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-10846 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2024-10846: Excessive Platform Resource Consumption within a Loop when unmarshalling Compose file having recursive loop

01Description

02Disclosure timeline

03References

04Related CVE