top of page
Search

Docker Desktop Flaw Exposes Windows and macOS Hosts to Container Escape

Docker has shipped an urgent patch for a critical vulnerability in Docker Desktop that allowed malicious containers to break out of their sandbox and gain unauthorized access to host systems. The flaw, tracked as CVE-2025-9074, carries a CVSS score of 9.3 out of 10 and has been fixed in version 4.44.3.

At the heart of the bug was an overlooked internal API exposure. According to security researcher Felix Boulet, any container could connect to the Docker Engine API at 192.168.65.7:2375 without authentication. That loophole made it trivial for an attacker to spin up new containers, mount host drives, and manipulate host files directly.

In proof-of-concept exploits, a single HTTP request from inside a container was enough to bind a Windows host’s C:\ drive into the attacker’s container. From there, attackers could read sensitive data, inject malware, or overwrite system DLLs to escalate privileges. On macOS, safeguards are stronger — user directory mounts require permission, and the app does not run with admin privileges by default — but attackers could still backdoor Docker itself by tampering with its configuration files.

“This could allow unauthorized access to user files on the host system. Enhanced Container Isolation does not mitigate this vulnerability,” Docker warned in its advisory.

Windows Hit Hardest

Philippe Dugre of PVOTAL Technologies highlighted the risk on Windows desktops, noting that attackers could not only read any file but also escalate to full system control. Linux installations are unaffected since the Docker Engine there communicates over a local Unix socket rather than an exposed TCP port.

Boulet summed it up bluntly: “At its core, this vulnerability was a simple oversight. Docker’s internal HTTP API was reachable from any container without authentication or access controls.”

Easy Exploit, Big Risk

The exploit requires no advanced skillset, making it particularly dangerous in enterprise environments where Docker Desktop is used casually as “developer tooling.” An attacker could seed a malicious image or chain the flaw through a server-side request forgery (SSRF) bug to hit the exposed API remotely.

Gabrielle Hempel, security operations strategist at Exabeam, said the flaw underscores a recurring lesson in container security.

“This CVE reinforces a hot take I have in cloud and container security: isolation boundaries aren’t as strong as vendors want us to believe. Even with ECI enabled, you can still escalate privilege from inside a container to a host. This kind of exploit is why defense-in-depth isn’t optional.”

She warned that the “window of time between disclosure and patching is critical,” urging security teams to rely on endpoint telemetry and behavioral detections until patches are fully rolled out.

Patch Now

Docker recommends upgrading immediately to Desktop 4.44.3 or newer. Security teams are also advised to treat Docker Desktop as a privileged component of the software stack, monitor for abnormal API calls from within containers, and assume that containers are not an impenetrable boundary.

The flaw is another reminder that container engines carry the same risk surface as hypervisors — and when their security slips, so does the entire system they run on.

bottom of page