Enhancing Docker Security: Mitigating CVE-2025-9074, a Critical Container Escape Vulnerability with a CVSS Score of 9.3

Docker has released critical fixes for a significant security vulnerability affecting the Docker Desktop application for Windows and macOS. This flaw, identified as CVE-2025-9074, has a CVSS score of 9.3 out of 10.0 and has been addressed in version 4.44.3. The vulnerability allows a malicious container to access the Docker Engine and launch additional containers without needing the Docker socket to be mounted. This could lead to unauthorised access to user files on the host system, and Enhanced Container Isolation (ECI) does not mitigate this risk. Security researcher Felix Boulet noted that the issue arises from a lack of authentication for connections to the Docker Engine API, enabling a privileged container to gain full access to the underlying host.

Further analysis by PVOTAL Technologies researcher Philippe Dugre revealed that on Windows, an attacker could exploit this flaw to mount the entire file system as an administrator, allowing them to read sensitive files and overwrite system DLLs to escalate privileges. In contrast, the macOS version of Docker Desktop maintains a layer of isolation, requiring user permission to mount directories. While the macOS host is generally safer, attackers can still control Docker applications and containers, potentially backdooring them without user approval. The vulnerability does not affect the Linux version, as it uses a named pipe instead of a TCP socket for the Docker Engine’s API. Attackers can exploit this vulnerability through a malicious container or a server-side request forgery (SSRF) flaw. 

Categories: Security Vulnerability, Docker Desktop, Container Isolation 

Tags: Docker, Security, Vulnerability, CVE-2025-9074, Container, Docker Desktop, Authentication, Isolation, Exploit, Host System