Medium severity5.9GHSA Advisory· Published Jan 23, 2025· Updated Apr 15, 2026

CVE-2024-10846

Description

The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2024-10846 is a high-resource consumption vulnerability in the compose-go library, affecting Docker Compose v2.27.0–v2.29.7, where malicious YAML can cause excessive CPU/memory usage.

Vulnerability

Overview

The vulnerability resides in the compose-go library, which is the reference library for parsing Docker Compose YAML files. Versions v2.10 through v2.4.0 (with affected Docker Compose versions v2.27.0 to v2.29.7) are susceptible. The issue allows an authorized user who sends a specially crafted YAML payload to cause excessive CPU and memory consumption during YAML parsing [1][3].

Attack

Vector and Exploitation

A user (authorized to run Docker Compose commands) can trigger the vulnerability by providing a malformed or deeply nested YAML file. As demonstrated in a bug report, a YAML structure with a missing services: key but containing YAML anchors and aliases caused Docker Compose config to consume huge amounts of memory, forcing a hard kill to avoid an out-of-memory condition [3]. The exploit requires only the ability to load a compose file; no special network access or authentication bypass is needed.

Impact

If successfully exploited, the attack can lead to a denial-of-service (DoS) condition on the host system. The excessive memory and CPU consumption can degrade performance for other processes or cause the Docker Engine to become unresponsive. The CVSS v3 base score of 5.9 (Medium) reflects the high availability impact but notes that the attack is limited to authorized users [1].

Mitigation

Docker has addressed this issue in compose-go and Docker Compose. Users should upgrade to Docker Compose versions later than v2.29.7 or apply the related commit in the compose-go library [2]. As of January 2025, the official advisory recommends updating to a fixed version. There is currently no indication that CVE-2024-10846 is listed in the CISA Known Exploited Vulnerabilities catalog.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/compose-spec/compose-go/v2Go	>= 2.1.0, < 2.4.1	2.4.1

Affected products

Compose Spec/Compose GoGHSA
Range: >= 2.1.0, < 2.4.1

Patches

d239f0f3187a

check container_name is not in use by another service we will create

https://github.com/docker/composeNicolas De LoofApr 11, 2024via ghsa

commit

6 files changed · +70 −4

cmd/compose/config.go+7 −0 modified

@@ -169,6 +169,13 @@ func runConfig(ctx context.Context, dockerCli command.Cli, opts configOptions, s
 			return err
 		}
 
+		if !opts.noConsistency {
+			err := project.CheckContainerNameUnicity()
+			if err != nil {
+				return err
+			}
+		}
+
 		switch opts.Format {
 		case "json":
 			content, err = project.MarshalJSON()

go.mod+1 −1 modified

@@ -7,7 +7,7 @@ require (
 	github.com/Microsoft/go-winio v0.6.1
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/buger/goterm v1.0.4
-	github.com/compose-spec/compose-go/v2 v2.0.3-0.20240407191136-f388192b8a39
+	github.com/compose-spec/compose-go/v2 v2.0.3-0.20240416141209-60aa6409b2c4
 	github.com/containerd/console v1.0.4
 	github.com/containerd/containerd v1.7.13
 	github.com/davecgh/go-spew v1.1.1

go.sum+2 −2 modified

@@ -90,8 +90,8 @@ github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+g
 github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
-github.com/compose-spec/compose-go/v2 v2.0.3-0.20240407191136-f388192b8a39 h1:ZUpnv0xA75X9gy9Y7hjJm51nflGbr+2URaLXBtEic7A=
-github.com/compose-spec/compose-go/v2 v2.0.3-0.20240407191136-f388192b8a39/go.mod h1:bEPizBkIojlQ20pi2vNluBa58tevvj0Y18oUSHPyfdc=
+github.com/compose-spec/compose-go/v2 v2.0.3-0.20240416141209-60aa6409b2c4 h1:WYiZ9D0WBykHUJLlpt+w7NXX0hy+cQKKdVe7vmsNZvg=
+github.com/compose-spec/compose-go/v2 v2.0.3-0.20240416141209-60aa6409b2c4/go.mod h1:bEPizBkIojlQ20pi2vNluBa58tevvj0Y18oUSHPyfdc=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
 github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro=

pkg/compose/create.go+6 −1 modified

@@ -77,8 +77,13 @@ func (s *composeService) create(ctx context.Context, project *types.Project, opt
 		options.Services = project.ServiceNames()
 	}
 
+	err := project.CheckContainerNameUnicity()
+	if err != nil {
+		return err
+	}
+
 	var observedState Containers
-	observedState, err := s.getContainers(ctx, project.Name, oneOffInclude, true)
+	observedState, err = s.getContainers(ctx, project.Name, oneOffInclude, true)
 	if err != nil {
 		return err
 	}

pkg/e2e/container_name_test.go+44 −0 added

@@ -0,0 +1,44 @@
+//go:build !windows
+// +build !windows
+
+/*
+   Copyright 2022 Docker Compose CLI authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package e2e
+
+import (
+	"testing"
+
+	"gotest.tools/v3/icmd"
+)
+
+func TestUpContainerNameConflict(t *testing.T) {
+	c := NewParallelCLI(t)
+	const projectName = "e2e-container_name_conflict"
+
+	t.Cleanup(func() {
+		c.RunDockerComposeCmd(t, "--project-name", projectName, "down")
+	})
+
+	res := c.RunDockerComposeCmdNoCheck(t, "-f", "fixtures/container_name/compose.yaml", "--project-name", projectName, "up")
+	res.Assert(t, icmd.Expected{ExitCode: 1, Err: `container name "test" is already in use`})
+
+	c.RunDockerComposeCmd(t, "--project-name", projectName, "down")
+	c.RunDockerComposeCmd(t, "-f", "fixtures/container_name/compose.yaml", "--project-name", projectName, "up", "test")
+
+	c.RunDockerComposeCmd(t, "--project-name", projectName, "down")
+	c.RunDockerComposeCmd(t, "-f", "fixtures/container_name/compose.yaml", "--project-name", projectName, "up", "another_test")
+}

pkg/e2e/fixtures/container_name/compose.yaml+10 −0 added

@@ -0,0 +1,10 @@
+services:
+  test:
+    image: alpine
+    container_name: test
+    command: /bin/true
+
+  another_test:
+    image: alpine
+    container_name: test
+    command: /bin/true

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000