Docker Fixes Critical Desktop Flaw Allowing Container Escapes
Docker has released a critical security patch to address a flaw in its Desktop app for Windows and macOS that could potentially allow an attacker to escape the confines of a container. The vulnerability, tracked as CVE-2025-9074 (CVSS score of 9.3), has been addressed in version 4.44.3.
The issue arises from a simple oversight by Docker: its internal HTTP API was reachable from any container without authentication or access controls. This allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. With or without Enhanced Container Isolation (ECI) enabled, and with or without the "Expose daemon on tcp://localhost:2375 without TLS" option enabled, this vulnerability can lead to execution of a wide range of privileged commands to the engine API, including controlling other containers, creating new ones, managing images, and even mounting the host drive.
According to Felix Boulet, one of the researchers who discovered the flaw, "A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet... This can lead to execution of a wide range of privileged commands to the engine API." The vulnerability has been addressed in version 4.44.3, and Docker is urging users to update their applications as soon as possible.
Researchers Felix Boulet and Philippe Dugre discovered the vulnerability after conducting a thorough scan of the Docker's documented private network. "Scanning all private range subnet takes only minutes and might show you that you weren't as isolated as you thought," Boulet wrote. "Always test your network isolation assumptions and do not trust that all security models are aligned by default."
Dugre found that on Windows, the Docker Desktop flaw allows attackers to mount the full file system as admin, read sensitive data, or overwrite DLLs to gain host control. In contrast, macOS is safer due to its isolation, although attackers can still backdoor Docker configs. Linux is not impacted since it uses a named pipe.
Exploitation of this vulnerability can come from malicious containers or via Server-Side Request Forgery (SSRF). According to Dugre, "While the easiest way to exploit it is via a vulnerable or malicious container that's controlled by the attacker, another attack vector that can be used here is SSRF." This allows an attacker to proxy requests through the vulnerable application and reach the docker socket.
"The impact of which varies especially depending on the availability of HTTP requests methods (most SSRF only allows GET requests, but some niche case allows the use of POST, PATCH, DELETE methods)," Dugre wrote. "This vulnerability is a stark reminder that critical security gaps often stem from the most basic assumptions."
Users are advised to update their Docker applications immediately and exercise caution when using containers to avoid potential exploitation.
About the Author:
The author of this article is [Your Name], a journalist with a passion for cybersecurity. Follow her on Twitter @securityaffairs and Facebook, or Mastodon (SecurityAffairs – hacking, Container Escape Vulnerability).