Full Report
A critical vulnerability in Docker Desktop for Windows and macOS allows compromising the host by running a malicious container, even if the Enhanced Container Isolation (ECI) protection is active. [...]
Analysis Summary
# Vulnerability: Critical SSRF in Docker Desktop Allows Host Hijack via Malicious Container
## CVE Details
- CVE ID: CVE-2025-9074
- CVSS Score: 9.3 (Critical)
- CWE: Server-Side Request Forgery (SSRF)
## Affected Systems
- Products: Docker Desktop (Windows and macOS)
- Versions: Prior to Docker Desktop version 4.44.3
- Configurations: Enhanced Container Isolation (ECI) does not mitigate this vulnerability. Affects containers running on Docker Desktop. Docker Desktop for Linux is reportedly unaffected.
## Vulnerability Description
The vulnerability is a critical Server-Side Request Forgery (SSRF) flaw that allows a malicious container to bypass standard isolation mechanisms and communicate directly with the Docker Engine API. This access is achievable unauthenticated via the internal address `http://192.168.65.7:2375/` from inside any running container. This capability allows the attacker to launch *additional* containers without requiring the Docker socket to be mounted, leading to unauthorized access to the host system's resources.
## Exploitation
- Status: PoC available
- Complexity: Low (Exploit demonstrated with minimal code)
- Attack Vector: Network (from within the container)
### Impact Details
The impact severity differs based on the OS:
- **Windows:** An attacker can use this flaw to mount the entire host filesystem (via WSL2 integration) as an administrator, read sensitive files, or overwrite system DLLs to escalate privileges to host administrator/root.
- **macOS:** While interaction is possible, the operating system imposes safeguards. Mounting the user directory prompts for user permission, making immediate full host compromise more difficult than on Windows, though configuration tampering remains a risk.
- Confidentiality: High (especially on Windows)
- Integrity: High (Critical on Windows due to elevation capabilities)
- Availability: High (potential for system disruption)
## Remediation
### Patches
- Docker Desktop version **4.44.3** addresses this vulnerability.
### Workarounds
- No official vendor workarounds were detailed, as patching is strongly recommended. The only implicit mitigation is isolating Docker Desktop usage from highly privileged systems or networks until updated.
## Detection
- **Indicators of Compromise (IoCs):** Unexpected creation or initiation of new containers from an existing container, or abnormal outbound network traffic originating from a running container directed towards the internal Docker Engine API port (2375).
- **Detection Methods and Tools:** Monitoring container runtime activity for unauthorized attempts to communicate with internal control plane addresses. Reviewing Docker engine logs for unusual API calls originating from non-standard sources (i.e., from within another container).
## References
- Vendor Advisory: docs dot docker com/desktop/release-notes/#4443
- Researcher Blog / PoC: blog dot qwertysecurity dot com/Articles/blog3
- Researcher Analysis: pvotal dot tech/breaking-dockers-isolation-using-docker-cve-2025-9074/