Critical Docker Desktop vulnerability allows host hijacking (CVE-2025-9074)

Overview

On 25 August 2025, BleepingComputer reported that a critical vulnerability in Docker Desktop could allow malicious containers to hijack the Windows or macOS host【353690463503701†L121-L160】. The flaw—tracked as CVE‑2025‑9074 and assigned a CVSS 9.3 critical severity score—is a server‑side request forgery (SSRF) vulnerability which allows an attacker to access the Docker Engine API from inside a container, bypassing the platform’s Enhanced Container Isolation (ECI) feature【353690463503701†L121-L160】.

The bug was discovered by security researcher Felix Boulet, who found that the Docker Engine API was reachable without authentication at the local address http://192.168.65.7:2375 from within any running container【353690463503701†L136-L140】. Boulet demonstrated that a malicious container could issue a couple of HTTP POST requests via wget to launch a new container that mounted the host’s *C:* drive, effectively granting arbitrary read/write access to files on the host【353690463503701†L141-L145】. Notably, Boulet’s proof‑of‑concept exploit is only *three lines of Python code*, meaning the attack is trivial to reproduce【353690463503701†L174-L177】.

Impact and affected platforms

The vulnerability affects Docker Desktop for Windows and macOS. According to Pvotal Technologies engineer Philippe Dugre, the flaw is more dangerous on Windows because the Docker Engine runs inside Windows Subsystem for Linux (WSL 2); an attacker can mount the entire filesystem, read sensitive files and overwrite system DLLs to gain administrator privileges on the host【353690463503701†L158-L160】. On macOS, users are prompted before granting access outside the container, reducing the severity【353690463503701†L163-L167】. The Linux version of Docker Desktop is not affected【353690463503701†L148-L151】.

Mitigation and patching

Boulet responsibly reported the bug to Docker, and the company released a patched Docker Desktop (version 4.44.3) that disables unauthenticated access to the Docker Engine API【353690463503701†L174-L177】. Users should immediately upgrade to the latest version on Windows and macOS. Until then, organizations should avoid running untrusted containers, disable experimental features, and enforce network isolation around Docker host processes. Because the vulnerability does not require code execution inside the container, simply preventing host volumes from being mounted is not sufficient【353690463503701†L121-L160】.

Takeaways

• Update promptly: Upgrade to Docker Desktop 4.44.3 or later to close the SSRF bug.
• Limit privileges: Avoid granting containers unnecessary host privileges and enforce network segmentation.
• Monitor containers: Use runtime security tools to detect unusual container activity and network access.
• Stay informed: Follow CVE advisories and vendor bulletins to quickly apply security updates.

By understanding the mechanics of CVE‑2025‑9074 and applying available patches, organizations can protect their development and production environments from container escape and host compromise.