Docker has launched fixes to deal with a important security flaw affecting the Docker Desktop app for Home windows and macOS that might doubtlessly permit an attacker to interrupt out of the confines of a container.
The vulnerability, tracked as CVE-2025-9074, carries a CVSS rating of 9.3 out of 10.0. It has been addressed in model 4.44.3.
“A malicious container working on Docker Desktop might entry the Docker Engine and launch extra containers with out requiring the Docker socket to be mounted,” Docker stated in an advisory launched final week.
“This might permit unauthorized entry to person recordsdata on the host system. Enhanced Container Isolation (ECI) doesn’t mitigate this vulnerability.”
In line with security researcher Felix Boulet, the vulnerability has to do with the way it’s attainable for a container to connect with the Docker Engine API at 192.168.65[.]7:2375 with out requiring any authentication, thereby opening the door to a state of affairs the place a privileged container might achieve full entry to the underlying host upon mounting the C: drive into it.
In a proof-of-concept (PoC) exploit, an internet request from any container has been discovered to set off the flaw and end in a full compromise of the host –
- POST a JSON payload to “/containers/create,” binding the host C: drive to a folder within the container (/mnt/host/c:/host_root) within the container, and utilizing a startup command to jot down or learn something below /host_root on container startup.
- POST to “/containers/{id}/begin” to launch the container and begin the execution
“At its core, this vulnerability was a easy oversight, Docker’s inside HTTP API was reachable from any container with out authentication or entry controls,” Boulet stated.
PVOTAL Applied sciences researcher Philippe Dugre (“zer0x64”), who additional examined the flaw, stated an attacker can exploit the flaw on the Home windows model of Docker Desktop to mount as an administrator the whole file system, learn any delicate file, and overwrite a system DLL to escalate the attacker to administrator of the host system.
“On macOS, nevertheless, the Docker Desktop software nonetheless has a layer of isolation and making an attempt to mount a person listing prompts the person for permission,” Dugre stated. “By default, the Docker software doesn’t have entry to the remainder of the file system and doesn’t run with administrative privileges, so the host is loads safer than within the Window’s case.”
“Nonetheless, the attacker does nonetheless have full management of the Docker software/containers and might even backdoor it by mounting and modifying the appliance’s configuration, which doesn’t want any person approval.”
The vulnerability doesn’t impression the Linux model since Linux makes use of a named pipe on the host’s file system, slightly than counting on a TCP TCP socket for the Docker Engine’s API.
The best solution to leverage the vulnerability is through a risk actor-controlled malicious container. That stated, a server-side request forgery (SSRF) flaw can be utilized as an alternate assault vector.
“This vulnerability permits an attacker to proxy requests by the susceptible software and attain the Docker socket, the impression of which varies particularly relying on the provision of HTTP requests strategies (most SSRF solely permits GET requests, however some area of interest case permits using POST, PATCH, DELETE strategies),” Dugre stated.
