A important vulnerability in Docker Desktop for Home windows and macOS permits compromising the host by operating a malicious container, even when the Enhanced Container Isolation (ECI) safety is energetic.
The security difficulty is a server-side request forgery (SSRF) now recognized as CVE-2025-9074, and it obtained a important severity score of 9.3.
“A malicious container operating on Docker Desktop might entry the Docker Engine and launch further containers with out requiring the Docker socket to be mounted,” reads Docker’s bulletin.
“This might enable unauthorized entry to person recordsdata on the host system. Enhanced Container Isolation (ECI) doesn’t mitigate this vulnerability.”
Safety researcher and bug bounty hunter Felix Boulet discovered that the Docker Engine API may very well be reached with out authentication at ‘http://192.168.65.7:2375/’ from inside any operating container.
The researcher demonstrated the creation and start-up of a brand new container that binds the Home windows host’s C: drive to the container’s filesystem by utilizing two wget HTTP POST requests.
Boulet’s proof-of-concept (PoC) exploit doesn’t require code execution rights contained in the container.
Philippe Dugre, a DevSecOps engineer at know-how firm Pvotal Applied sciences and a problem designer for the NorthSec cybersecurity convention, confirmed that the vulnerability affected Docker Desktop Home windows and macOS however not the Linux model.
Dugre says that the vulnerability is much less harmful on macOS as a result of safeguards within the working system. Whereas he was capable of create a file within the person’s house listing on Home windows, the identical couldn’t be achieved on macOS with out the person offering permission.
“On Home windows, for the reason that Docker Engine runs by way of WSL2, the attacker can mount as an administrator your complete filesystem, learn any delicate file, and finally overwrite a system DLL to escalate the attacker to administrator of the host system,” – Phillippe Dugre
“On MacOS, nevertheless, the Docker Desktop software nonetheless has a layer of isolation and attempting to mount a person listing prompts the person for permission. By default, the docker software doesn’t have entry to the remainder of the filesystem and doesn’t run with administrative privileges, so the host is loads safer than within the Home windows case,” he says.
Nonetheless, the researcher warns that there’s room for malicious exercise even on macOS as a result of an attacker has full management over the appliance and the containers, which creates the chance of backdooring or modifying the configuration with out the necessity for permission.
Dugre says that the vulnerability is straightforward to leverage, and his exploit confirms this because it consists of simply three traces of Python code.
The vulnerability was reported responsibly to Docker, who responded shortly and addressed it in a brand new Docker Desktop model, 4.44.3, launched final week.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
