A newly disclosed vulnerability in Docker Desktop for Home windows has revealed how a easy Server-Aspect Request Forgery (SSRF) assault may result in full host system compromise.
CVE-2025-9074, found by Felix Boulet and reported on August 21, 2025, impacts all Docker Desktop variations previous to 4.44.3 and demonstrates how container isolation may be utterly bypassed by means of unauthenticated API entry.
Key Takeaways1. Docker Desktop containers can entry unauthenticated API for full host compromise.2. Two HTTP requests create privileged container with host filesystem entry.3. Replace to Docker Desktop instantly.
The vulnerability was discovered by accident throughout routine community scanning and highlights crucial gaps in Docker’s inside safety structure.
Philippe Dugre from Pvotal Applied sciences independently found an analogous challenge on macOS platforms, emphasizing the cross-platform nature of this safety flaw.
The vulnerability stems from Docker Desktop exposing its inside HTTP API endpoint at with none authentication mechanisms.
Any container working throughout the Docker atmosphere may entry this endpoint and execute privileged operations in opposition to the host system.
This represents a elementary breakdown of the container isolation mannequin, the place workloads must be utterly separated from their host atmosphere.
The assault floor was significantly regarding as a result of it required minimal technical sophistication—attackers wanted solely primary HTTP request capabilities fairly than advanced exploit chains or reminiscence corruption methods.
Docker Container Exploitation Course of
The exploitation course of requires simply two HTTP POST requests executed from inside any container atmosphere.
The primary request targets the /containers/create endpoint with a JSON payload that configures a brand new privileged container with host filesystem bindings.
The crucial configuration parameter includes mounting the Home windows C: drive (/mnt/host/c) to a container path (/host_root), successfully offering unrestricted entry to your complete host filesystem.
The JSON payload additionally specifies execution instructions that run robotically upon container startup, enabling quick post-exploitation actions.
The second HTTP request initiates container execution by means of the /containers/{id}/begin endpoint, triggering the malicious container with elevated privileges.
This two-step course of bypasses all Docker safety controls and grants attackers the identical stage of entry as native administrator accounts.
The vulnerability is especially insidious as a result of it may be exploited by means of SSRF assaults, which means attackers don’t require direct code execution inside containers—they solely want the power to set off HTTP requests from compromised net functions or providers working in containerized environments.
Threat FactorsDetailsAffected ProductsDocker Desktop for Home windows (variations ImpactFull host system compromiseExploit Conditions– Entry to any container environment- Skill to make HTTP requests- Community connectivity to 192.168.65.7:2375CVSS 3.1 ScoreNot specified
Proof of Idea
The proof of idea demonstrates the vulnerability’s simplicity utilizing normal wget instructions executable from any Alpine Linux container.
The exploit creates a privileged container that mounts the host C: drive and executes arbitrary instructions:
Docker responded shortly to this disclosure, releasing model 4.44.3 with full remediation of the vulnerability.
The repair implements correct authentication controls for inside API endpoints and strengthens community segmentation between container workloads and Docker’s management aircraft.
Safety researchers advocate quick updating to the patched model, as no workarounds exist for affected programs.
Safely detonate suspicious recordsdata to uncover threats, enrich your investigations, and reduce incident response time. Begin with an ANYRUN sandbox trial →
