Vulnerability DatabaseCVE-2024-10846
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-10846
January 23, 2025
The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included
Affected Packages
github.com/compose-spec/compose-go/v2 (GO):
Affected version(s) >=v2.1.0 <v2.4.1
Fix Suggestion:
Update to version v2.4.1
Related ResourcesĀ (10)
https://github.com/docker/compose/commit/d239f0f3187a2ed5404c61f83bd5e995c81600ff
https://github.com/docker/compose/issues/12235
https://nvd.nist.gov/vuln/detail/CVE-2024-10846
https://security.netapp.com/advisory/ntap-20250425-0008/
https://github.com/compose-spec/compose-go/pull/703
https://github.com/compose-spec/compose-go
https://github.com/compose-spec/compose-go/pull/618
https://security.netapp.com/advisory/ntap-20250425-0008
https://github.com/docker/compose/commit/d239f0f3187a2ed5404c61f83bd5e995c81600ff#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R10
https://github.com/compose-spec/compose-go/security/advisories/GHSA-36gq-35j3-p9r9
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.7
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
HIGH
CVSS v3
Base Score:
5.9
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Improper Input Validation
CWE-20
Uncontrolled Resource Consumption
CWE-400
EPSS
Base Score:
0.02