Critical Docker Desktop Flaw Allows Attackers to Escape Containers and Hijack the Host
A newly discovered critical vulnerability in Docker Desktop has placed Windows users at significant risk. Tracked as CVE-2025-9074 and rated 9.3 out of 10 on the CVSS scale, the flaw enables attackers to bypass container isolation and execute commands directly on the host system using only two crafted HTTP requests.
Docker Desktop has long been regarded as the most widely adopted tool for developers working with containers, simplifying the deployment of applications in isolated environments and ensuring consistent behavior across platforms.
However, researcher Felix Boulet demonstrated that the isolation mechanisms in the Windows version can be trivially undermined. All that is required is a small malicious program inside the container capable of sending a pair of specially crafted POST requests to the Docker engine. This exploit allows the creation of a new container with the host’s C: drive mounted, granting the attacker full system access.
Alarmingly, the flaw can be exploited regardless of whether “Enhanced Container Isolation” is enabled and independent of the “Expose daemon on tcp://localhost:2375 without TLS” setting. In other words, even users who believed they had hardened their installations with additional safeguards were left vulnerable. An attacker could manipulate existing images, launch new containers, and effectively take control of the entire working environment.
Boulet published a functional proof-of-concept exploit, showing that the attack can be triggered from any container. According to him, compromise requires only minimal setup: the presence of a malicious process inside a container and the execution of two sequential requests. This dramatically lowers the barrier to exploitation and increases the likelihood of widespread attacks, particularly when developers use third-party images from unverified sources.
Docker acknowledged the issue and released a fix in version 4.44.3. The company confirmed that attackers could indeed deploy additional containers with direct access to the Docker Engine and urged all users to update immediately. Boulet likewise strongly recommends applying the patch without delay.
Researcher Philippe Dugré, who collaborated with Boulet, clarified that the macOS version of Docker Desktop is less affected, while Linux systems are not vulnerable at all. This is due to the fact that most production environments run on Linux, leaving the primary risk concentrated among developers running untrusted code on Windows or Mac.
Ultimately, this vulnerability serves as a stark reminder that even cornerstone tools for containerization can harbor critical flaws that expose the host to complete compromise. For Windows users of Docker Desktop, upgrading to the latest release is, at present, the only reliable means of protection.
