A newly disclosed vulnerability in Docker Desktop for Windows has revealed how a simple Server-Side Request Forgery (SSRF) attack could lead to complete host system compromise.
CVE-2025-9074, discovered by Felix Boulet and reported on August 21, 2025, affects all Docker Desktop versions prior to 4.44.3 and demonstrates how container isolation can be completely bypassed through unauthenticated API access.
Key Takeaways
1. Docker Desktop containers can access unauthenticated API for full host compromise.
2. Two HTTP requests create privileged container with host filesystem access.
3. Update to Docker Desktop immediately.
The vulnerability was found accidentally during routine network scanning and highlights critical gaps in Docker’s internal security architecture.
Philippe Dugre from Pvotal Technologies independently discovered a similar issue on macOS platforms, emphasizing the cross-platform nature of this security flaw.
The vulnerability stems from Docker Desktop exposing its internal HTTP API endpoint at http://192.168.65.7:2375/ without any authentication mechanisms.
Any container running within the Docker environment could access this endpoint and execute privileged operations against the host system.
This represents a fundamental breakdown of the container isolation model, where workloads should be completely separated from their host environment.
The attack surface was particularly concerning because it required minimal technical sophistication—attackers needed only basic HTTP request capabilities rather than complex exploit chains or memory corruption techniques.
Docker Container Exploitation Process
The exploitation process requires just two HTTP POST requests executed from within any container environment.
The first request targets the /containers/create endpoint with a JSON payload that configures a new privileged container with host filesystem bindings.
The critical configuration parameter involves mounting the Windows C: drive (/mnt/host/c) to a container path (/host_root), effectively providing unrestricted access to the entire host filesystem.
The JSON payload also specifies execution commands that run automatically upon container startup, enabling immediate post-exploitation activities.
The second HTTP request initiates container execution through the /containers/{id}/start endpoint, triggering the malicious container with elevated privileges.
This two-step process bypasses all Docker security controls and grants attackers the same level of access as local administrator accounts.
The vulnerability is particularly insidious because it can be exploited through SSRF attacks, meaning attackers don’t require direct code execution within containers—they only need the ability to trigger HTTP requests from compromised web applications or services running in containerized environments.
| Risk Factors | Details |
| Affected Products | Docker Desktop for Windows (versions < 4.44.3)Docker Desktop for macOS (similar issue reported) |
| Impact | Full host system compromise |
| Exploit Prerequisites | – Access to any container environment- Ability to make HTTP requests- Network connectivity to 192.168.65.7:2375 |
| CVSS 3.1 Score | Not specified |
Proof of Concept
The proof of concept demonstrates the vulnerability’s simplicity using standard wget commands executable from any Alpine Linux container.
The exploit creates a privileged container that mounts the host C: drive and executes arbitrary commands:
Docker responded quickly to this disclosure, releasing version 4.44.3 with complete remediation of the vulnerability.
The fix implements proper authentication controls for internal API endpoints and strengthens network segmentation between container workloads and Docker’s control plane.
Security researchers recommend immediate updating to the patched version, as no workarounds exist for affected systems.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Source link
