Aug 25, 2025Ravie LakshmananContainer Safety / Vulnerability
Docker has launched fixes to deal with a essential safety flaw affecting the Docker Desktop app for Home windows and macOS that would probably enable an attacker to interrupt out of the confines of a container.
The vulnerability, tracked as CVE-2025-9074, carries a CVSS rating of 9.3 out of 10.0. It has been addressed in model 4.44.3.
“A malicious container working on Docker Desktop might entry the Docker Engine and launch further containers with out requiring the Docker socket to be mounted,” Docker mentioned in an advisory launched final week.
“This might enable unauthorized entry to person recordsdata on the host system. Enhanced Container Isolation (ECI) doesn’t mitigate this vulnerability.”
In line with safety researcher Felix Boulet, the vulnerability has to do with the way it’s doable for a container to hook up with the Docker Engine API at 192.168.65[.]7:2375 with out requiring any authentication, thereby opening the door to a situation the place a privileged container might achieve full entry to the underlying host upon mounting the C: drive into it.
In a proof-of-concept (PoC) exploit, an internet request from any container has been discovered to set off the flaw and lead to a full compromise of the host –
POST a JSON payload to “/containers/create,” binding the host C: drive to a folder within the container (/mnt/host/c:/host_root) within the container, and utilizing a startup command to jot down or learn something below /host_root on container startup.
POST to “/containers/{id}/begin” to launch the container and begin the execution
“At its core, this vulnerability was a easy oversight, Docker’s inside HTTP API was reachable from any container with out authentication or entry controls,” Boulet mentioned.
PVOTAL Applied sciences researcher Philippe Dugre (“zer0x64”), who additional examined the flaw, mentioned an attacker can exploit the flaw on the Home windows model of Docker Desktop to mount as an administrator your entire file system, learn any delicate file, and overwrite a system DLL to escalate the attacker to administrator of the host system.
“On macOS, nevertheless, the Docker Desktop software nonetheless has a layer of isolation and attempting to mount a person listing prompts the person for permission,” Dugre mentioned. “By default, the Docker software doesn’t have entry to the remainder of the file system and doesn’t run with administrative privileges, so the host is quite a bit safer than within the Window’s case.”
“Nevertheless, the attacker does nonetheless have full management of the Docker software/containers and may even backdoor it by mounting and modifying the appliance’s configuration, which doesn’t want any person approval.”
The vulnerability doesn’t influence the Linux model since Linux makes use of a named pipe on the host’s file system, somewhat than counting on a TCP TCP socket for the Docker Engine’s API.
The simplest option to leverage the vulnerability is by way of a risk actor-controlled malicious container. That mentioned, a server-side request forgery (SSRF) flaw can be utilized as an alternate assault vector.
“This vulnerability permits an attacker to proxy requests via the susceptible software and attain the Docker socket, the influence of which varies particularly relying on the provision of HTTP requests strategies (most SSRF solely permits GET requests, however some area of interest case permits the usage of POST, PATCH, DELETE strategies),” Dugre mentioned.
