CVE-2025-4095 is a Docker Desktop vulnerability on macOS.
Docker Desktop for macOS, the administration instrument for the app container system, has an authorization vulnerability that can be utilized for malicious functions.
A safety flaw has been found in Docker Desktop, registered underneath the CVE code CVE-2025-4095
Particularly, CVE-2025-4095 describes a safety vulnerability in Docker Desktop that impacts Registry Entry Administration (RAM). This refers to a safety function that lets directors limit the entry for builders inside their group to solely allowed registries.
The itemizing explains that, when a macOS configuration profile is used to implement the organizational sign-in, RAM polices are usually not being utilized. The result’s that these Docker Desktop customers can pull down unauthorized photos from the registry, opening the door to malicious photos getting used.
CVE-2025-4095 is assessed as a “Medium” severity risk which implies it might have the potential to disrupt communications or enterprise.
For its half, Docker has launched a repair in Docker Desktop model 4.41, which is offered to obtain now. The straightforward repair for that is for directors to replace the affected Docker Desktop set up to the latest model.
What’s Docker?
One of many earliest and hottest container methods, Docker is a instrument for the event and deployment of apps and environments. The containers are methods for bundling improvement environments, construct methods, apps, and deployment data into one file.
In addition to creating the file, often known as an “picture,” Docker additionally handles the environments wanted to run them, too.
The most important advantage of containers is that they embrace every little thing wanted for improvement and deployment, which vastly reduces the time wanted to configure and provision methods wanted to run apps.
Varied registries exist that permit the cataloging and storing of container photos in a single central location. That is form of like GitHub, however for container photos as a substitute of for code itself.
There are registries run by container firms similar to Docker’s DockerHub, and there are third-party ones from different firms and organizations similar to Amazon ECR, Google, and Microsoft’s Azure.
To ensure that customers to entry and obtain container photos, a login to every registry is often required.
Docker additionally offers a macOS app referred to as Docker Desktop, which helps customers obtain and replace container photos on their Macs. One of many options of Docker Desktop is the power to log in and entry container photos utilizing credentials outlined in a configuration file.
For extra info, the Docker web site has documentation on Registry Entry Administration.
Additionally see CWE-862: Lacking Authorization (4.17), which particulars the type of vulnerability that the classification of this safety subject denotes.
