CVE-2025-53825 CRITICAL

CVE-2025-53825: Dokploy's Preview Deployments are vulnerable to Remote Code Execution

Vendor Dokploy
Product dokploy
Weakness CWE-862 · Missing authorization
Published July 14, 2025
Last update July 15, 2025

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This exposes secrets and potentially enables remote code execution, putting all public Dokploy users using these preview deployments at risk. Version 0.24.3 contains a fix for the issue.

Key dates

02Disclosure timeline

July 14, 2025 CVE published
July 15, 2025 Record updated