Docker has released fixes to address critical security flaws affecting Docker desktop apps on Windows and MacOS, which could allow attackers to escape from the scope of the container.
The CVSS score for vulnerabilities tracked as CVE-2025-9074 is 9.3 out of 10.0. Addressed in version 4.44.3.
“Malicious containers running on Docker desktops can access the Docker engine and launch additional containers without the need to mount Docker sockets,” Docker said in an advisory released last week.
“This allows for unauthorized access to user files on the host system. Extended Container Isolation (ECI) does not mitigate this vulnerability.”
According to security researcher Felix Boolett, the vulnerability relates to how it is possible for a container to connect to the 192.168.65 Docker Engine API.[.]7:2375 When the privileged container installs the C:\ drive without requiring authentication, it opens the door to a scenario where you can fully access the underlying host.
In a proof of concept (POC) exploit, we know that web requests from any container will trigger a flaw and will result in a complete compromise for the host –
Post the JSON payload to “/containers/create”, bind the host c:\ drive to a folder in the container (/mnt/host/c:/host_root), and write what’s under /host_root when container starts using the start command. Post to “/containers/{id}/start” to start the container and start running
“At its core, the vulnerability was simple monitoring, and Docker’s internal HTTP API could be reached from any container without authentication or access control,” Boulet says.
Pvotal Technologies researcher Philippe Dugre (“Zer0x64”) said that attackers could exploit a flaw in the Windows version of Docker desktop to mount the entire file system as an administrator, read sensitive files, and overwrite system DLLs to escalate the attacker to the host system’s administrator.
“However, on MacOS, Docker desktop applications still have a separator layer, and if you try to mount a user directory, you’ll be asked for permission,” Dugre said. “By default, the Docker application does not have access to the rest of the file system and does not run with administrative privileges, so the host is much more secure than in windows.”
“However, attackers still have full control over the Docker application/container and can even backdoor by installing and modifying the application’s configuration, but no user approval is required.”
Linux does not rely on TCP TCP sockets in the Docker Engine API, and does not affect Linux versions as Linux uses named pipes for the host’s file system.
The easiest way to exploit vulnerabilities is through malicious containers controlled by threat actors. That being said, server-side request forgery (SSRF) flaws can be used as alternative attack vectors.
“The vulnerability allows an attacker to enable proxy requests through vulnerable applications and reach Docker sockets. The impact depends, among other things, on the availability of the HTTP request method (most SSRFs only allow retrieve requests, but allow the use of posts, patches, and deletion methods),” Dugre said.
Source link
