Dokku, a Docker‑based platform as a service, suffered a high‑severity remote code execution flaw in its openresty‑vhosts plugin. Prior to version 0.38.2 the plugin copies files from an application’s openresty/http‑includes/ git directory to the host and then inserts their filenames into a single‑quoted shell string that is later executed with eval. A maliciously named file containing a single quote breaks the quoting and allows command substitution, giving an attacker the ability to execute arbitrary commands as the dokku user when the application is next deployed. This weakness corresponds to CWE‑95.

The vulnerability affects all installations of the dokku platform that use the openresty‑vhosts plugin before release 0.38.2. Anyone running a version older than 0.38.2, irrespective of other configuration, is potentially impacted.

With a CVSS score of 9 the flaw is considered critical. The EPSS score is not available, so the exact likelihood of exploitation cannot be quantified, but the high severity and lack of countermeasures make exploitation plausible. The vulnerability is not listed in CISA’s KEV catalogue, yet attackers could target this flaw by pushing a specially crafted file to the openresty/http‑includes/ repository and triggering a deploy, thereby gaining shell access as the dokku user during the deployment process. The attack requires the ability to write to the repository, which typically means privileged deploy or git push rights.