Docker has launched fixes to handle a crucial safety flaw affecting the Docker Desktop app for Home windows and macOS that might probably enable an attacker to interrupt out of the confines of a container.
The vulnerability, tracked as CVE-2025-9074, carries a CVSS rating of 9.3 out of 10.0. It has been addressed in model 4.44.3.
“A malicious container operating on Docker Desktop may entry the Docker Engine and launch extra containers with out requiring the Docker socket to be mounted,” Docker stated in an advisory launched final week.
“This might enable unauthorized entry to consumer information on the host system. Enhanced Container Isolation (ECI) doesn’t mitigate this vulnerability.”
In line with safety researcher Felix Boulet, the vulnerability has to do with the way it’s attainable for a container to hook up with the Docker Engine API at 192.168.65[.]7:2375 with out requiring any authentication, thereby opening the door to a situation the place a privileged container may achieve full entry to the underlying host upon mounting the C: drive into it.
In a proof-of-concept (PoC) exploit, an internet request from any container has been discovered to set off the flaw and lead to a full compromise of the host –
- POST a JSON payload to “/containers/create,” binding the host C: drive to a folder within the container (/mnt/host/c:/host_root) within the container, and utilizing a startup command to jot down or learn something beneath /host_root on container startup.
- POST to “/containers/{id}/begin” to launch the container and begin the execution
“At its core, this vulnerability was a easy oversight, Docker’s inner HTTP API was reachable from any container with out authentication or entry controls,” Boulet stated.
PVOTAL Applied sciences researcher Philippe Dugre (“zer0x64”), who additional examined the flaw, stated an attacker can exploit the flaw on the Home windows model of Docker Desktop to mount as an administrator all the file system, learn any delicate file, and overwrite a system DLL to escalate the attacker to administrator of the host system.
“On macOS, nevertheless, the Docker Desktop utility nonetheless has a layer of isolation and attempting to mount a consumer listing prompts the consumer for permission,” Dugre stated. “By default, the Docker utility doesn’t have entry to the remainder of the file system and doesn’t run with administrative privileges, so the host is quite a bit safer than within the Window’s case.”
“Nonetheless, the attacker does nonetheless have full management of the Docker utility/containers and may even backdoor it by mounting and modifying the applying’s configuration, which doesn’t want any consumer approval.”
The vulnerability doesn’t impression the Linux model since Linux makes use of a named pipe on the host’s file system, quite than counting on a TCP TCP socket for the Docker Engine’s API.
The simplest option to leverage the vulnerability is through a risk actor-controlled malicious container. That stated, a server-side request forgery (SSRF) flaw can be utilized as an alternate assault vector.
“This vulnerability permits an attacker to proxy requests by the susceptible utility and attain the Docker socket, the impression of which varies particularly relying on the supply of HTTP requests strategies (most SSRF solely permits GET requests, however some area of interest case permits using POST, PATCH, DELETE strategies),” Dugre stated.
