Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Analysis of 4 Million Docker Images Shows Half Have Critical Vulnerabilities

Container security company Prevasio has analyzed 4 million public Docker container images hosted on Docker Hub and found that over half of them had critical vulnerabilities and thousands of images included malicious or potentially harmful elements.

Container security company Prevasio has analyzed 4 million public Docker container images hosted on Docker Hub and found that over half of them had critical vulnerabilities and thousands of images included malicious or potentially harmful elements.

The cybersecurity firm used its Prevasio Analyzer service to analyze all the container images on Docker Hub, the largest library and community for container images. In order to analyze the large amount of images, the Prevasio service ran non-stop for one month on 800 machines.

The analysis found that 51% of the 4 million images included packages or app dependencies with at least one critical vulnerability and 13% had high-severity flaws.

Roughly 6,400 containers, representing 0.16% of the total, were classified as malicious or potentially harmful due to the presence of malware, cryptocurrency miners, hacking tools, a malicious npm package (flatmap-stream), and trojanized applications.

According to Prevasio, these malicious or potentially harmful Docker images have been downloaded more than 300 million times.

Malicious or potentially harmful elements in Docker container images

Crypto-miners were detected in 44% of the 6,400 containers and while in many cases developers clearly state that their container images contain these miners, the miners are often hidden.

“Regardless of the original intention, if an employee pulls from Docker Hub and then runs a coinmining container image at work, there is a very high chance that the company’s resources are not used as originally intended. A system administrator might find such container images undesirable for a corporate environment or even potentially harmful,” Prevasio wrote in a report detailing its findings.

The research also uncovered images with dynamic payloads, where the original image does not appear to include anything malicious, but they are scripted to — at runtime — download the source code of a miner, compile it, and execute it.

As for trojanized applications, the analysis uncovered trojanized WordPress plugins, Apache Tomcat, and Jenkins. While much of the malware currently found in the images targets Windows, malware could pose a bigger issue in the future with the rise of cross-platform threats.

“If a company’s developer takes a shortcut by fetching a pre-built image, instead of composing a new image from scratch, there is a viable risk that such pre-built image might come pre-trojanised. If such an image ends up in production, the attackers may potentially be able to access such containerized applications remotely via a backdoor,” Prevasio warned.

Related: ‘Graboid’ Crypto-Jacking Worm Targets Docker Hosts

Related: Misconfigured Docker Registries Expose Thousands of Repositories

Related: Docker Hub Breach Hits 190,000 Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.