A critical vulnerability in Docker Desktop allows attackers to control containers, mount the host’s file system, and modify it to escalate their privileges to those of an administrator.
Tracked as CVE-2025-9074 (CVSS score of 9.3), the flaw is a container escape issue that impacts the Windows and macOS iterations of the application.
“A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted. This could allow unauthorized access to user files on the host system,” Docker notes in its advisory.
The security defect can be triggered regardless of whether Enhanced Container Isolation (ECI) is enabled or not. Patches for the bug were included in Docker Desktop version 4.44.3.
The vulnerability, security researcher Felix Boulet explains, exists because, in the vulnerable application versions, any container can access Docker’s internal HTTP API without authentication.
This, Boulet says, allows an attacker to connect to the API using the internal IP address, create and start a privileged container, and then mount the host’s file system, gaining full access to the host.
The Docker Engine socket, which is the management API for Docker, should not be exposed to untrusted code or users, as it “grants full access to everything the docker application can do”, white-hat hacker Philippe Dugre says.
On Windows, he explains, an attacker could exploit the flaw to mount the host’s file system and overwrite a system DLL to obtain administrative privileges on the host.
The macOS version of the application can be exploited to take full control of other containers, or to backdoor the Docker app by mounting and modifying its configuration.
“On macOS, however, the Docker Desktop application still has a layer of isolation and trying to mount a user directory prompts the user for permission. By default, the docker application does not have access to the rest of the filesystem and does not run with administrative privileges,” Dugre notes.
He also warns that CVE-2025-9074 is very easy to exploit, albeit it requires that the Docker engine runs on Windows or macOS (most production systems run Linux) and that the attacker has access to the socket.
The attacker can either use a malicious container to mount the attack, or rely on a server-side request forgery (SSRF) attack, proxying requests through a vulnerable application.
Related: High-Severity Vulnerabilities Patched in Chrome, Firefox
Related: Critical Flaws Patched in Rockwell FactoryTalk, Micro800, ControlLogix Products
Related: No Patch for Flaw Exposing Hundreds of LG Cameras to Remote Hacking
Related: Akamai, Microsoft Disagree on Severity of Unpatched ‘BadSuccessor’ Flaw
