A critical vulnerability has been identified in the Dokploy Platform as a Service (PaaS) solution, assigned CVE-2025-53825 with a CVSS score of 9.4. This flaw allows an unauthenticated attacker to remotely execute arbitrary code on the server by exploiting the preview deployment feature. Successful exploitation could lead to a complete compromise of the Dokploy instance, resulting in data theft, service disruption, and unauthorized access to the underlying infrastructure.

The vulnerability exists within the preview deployment functionality of Dokploy. This feature, intended to create temporary deployments for testing, fails to properly enforce authentication checks. An unauthenticated remote attacker can submit a malicious payload, such as a container image or build instructions containing arbitrary code, to the preview deployment endpoint. The Dokploy server will process and execute this payload, granting the attacker code execution capabilities with the permissions of the Dokploy service account on the host system.

This vulnerability is rated as critical severity with a CVSS score of 9.4. A successful exploit allows for unauthenticated Remote Code Execution (RCE), which poses a direct and severe threat to the organization. An attacker could take complete control of the Dokploy server, leading to several adverse outcomes:

• Data Breach: Theft of sensitive data, including application source code, configuration secrets, API keys, and customer data stored in hosted applications.
• Service Disruption: The ability to stop, modify, or delete all applications and services hosted on the platform, causing significant operational downtime.
• Infrastructure Compromise: The compromised server could be used as a pivot point to launch further attacks against other systems within the internal network.
• Reputational and Financial Damage: A public breach would result in a loss of customer trust, potential regulatory fines, and significant costs associated with incident response and recovery.

Immediate Action: Immediately upgrade all Dokploy instances to version 0.24.3 or later. This is the most effective mitigation, as the patched version corrects the authentication flaw in the preview deployment feature. After updating, review system and access logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring:

• Log Analysis: Scrutinize web server and application logs for suspicious requests to API endpoints related to preview deployments, especially from untrusted or unexpected IP addresses.
• Process Monitoring: Monitor for any unusual or unauthorized processes, container executions, or shell commands running on the Dokploy host server.
• Network Traffic: Analyze outbound network traffic from the Dokploy server for connections to unknown or malicious command-and-control (C2) servers.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Firewall Rules: Restrict access to the Dokploy management interface and API endpoints at the network level, allowing connections only from trusted IP addresses (e.g., internal administrative networks or specific IP allow-lists).
• Disable Feature: If the preview deployment feature is not essential for business operations, investigate options to disable it entirely through configuration until patching can be completed.

Public Exploit Available: false

Given the critical CVSS score of 9.4 and the risk of unauthenticated remote code execution, this vulnerability represents an immediate and significant threat. We strongly recommend that all system owners prioritize the immediate deployment of the patch to upgrade Dokploy to version 0.24.3 or later. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion and widespread exploitation. Proactive patching is the most effective strategy to prevent a compromise.