Docker fixed a critical flaw in the Docker Desktop app for Windows and macOS that could potentially allow an attacker to escape the confines of a container.
Docker fixed a critical vulnerability, tracked as CVE-2025-9074 (CVSS score of 9.3), impacting Docker Desktop app for Windows and macOS. An attacker can exploit the flaw to potentially escape the confines of a container.
According to DockerDoc, a malicious container could access the Docker Engine and launch containers without the socket, risking host file access, even with Enhanced Container Isolation (ECI) enabled.
“A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. This vulnerability occurs with or without Enhanced Container Isolation (ECI) enabled, and with or without the “Expose daemon on tcp://localhost:2375 without TLS” option enabled. This can lead to execution of a wide range of privileged commands to the engine API, including controlling other containers, creating new ones, managing images etc.” reads the advisory. “In some circumstances (e.g. Docker Desktop for Windows with WSL backend) it also allows mounting the host drive with the same privileges as the user running Docker Desktop.”
The vulnerability, tracked as CVE-2025-9074, carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3.
The vulnerability was discovered by the researchers Felix Boulet and Philippe Dugre (zer0x64).
Researcher Felix Boulet discovered that the flaw allows containers to connect to Docker Engine API (192.168.65.7:2375) without authentication. A PoC shows any container can issue requests to bind the host’s C:\ drive, then start a container with read/write access to host files, leading to full host compromise.
“At its core, this vulnerability was a simple oversight, Docker’s internal HTTP API was reachable from any container without authentication or access controls.It’s a stark reminder that critical security gaps often stem from the most basic assumptions. I found this issue by running a quick nmap scan against the Docker’s documented private network.” Boulet wrote. “Scanning all private range subnet takes only minutes and might show you that you weren’t as isolated as you thought.Always test your network isolation assumptions and do not trust that all security models are alligned by default.”
Dugre found the Docker Desktop flaw on Windows lets attackers mount the full file system as admin, read sensitive data, or overwrite DLLs to gain host control. The experts explained that macOS is safer due to isolation, though attackers can still backdoor Docker configs. Linux isn’t impacted since it uses a named pipe. Exploitation can come from malicious containers or via SSRF to proxy requests to the Docker socket.
“While the easiest way to exploit it is via a vulnerable or malicious container that’s controlled by the attacker, another attack vector that can be used here is Server-Side Request Forgery(SSRF).” wrote Dugre. “This vulnerability allows an attacker to proxy requests through the vulnerable application and reach the docker socket, the impact of which varies especially depending on the availability of HTTP requests methods (most SSRF only allows GET requests, but some niche case allows the use of POST, PATCH, DELETE methods).”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Container Escape Vulnerability)
