A security flaw in Docker Desktop for Windows and macOS could allow attackers to hijack the host by running a malicious container, even when Enhanced Container Isolation (ECI) is active, security researchers said.
The issue is a server-side request forgery (SSRF) tracked as CVE-2025-9074, with a critical severity rating of 9.3 in the National Vulnerability Database. Docker said the flaw could enable a container to access the Docker Engine and launch additional containers without mounting the Docker socket, effectively bypassing ECI protections. Docker’s bulletin explains the impact.
The bug was reported by security researcher and bug bounty hunter Felix Boulet, who demonstrated that the Docker Engine API could be reached from inside a running container at an unprotected address (for example, http://192.168.65.7:2375/). Boulet’s PoC involved creating and starting a new container that binds the Windows host’s C: drive to the container’s filesystem using two HTTP POST requests. Boulet’s PoC does not require code execution rights inside the container, and he has published additional details at his blog.
Industry expert Phillippe Dugre, a DevSecOps engineer with Pvotal Technologies and a NorthSec challenge designer, confirmed that the vulnerability affected Docker Desktop on Windows and macOS but not Linux. He said the risk is higher on Windows because Docker Engine runs via WSL2, where an attacker could mount the entire filesystem as an administrator, read sensitive files, and potentially overwrite a system DLL to gain full control of the host. He noted that on macOS, the Docker Desktop isolation layer and user-permission prompts mitigate many of these risks, though backdooring or configuration changes remain possible if an attacker controls the application.
The PoC is described as easy to leverage, with only a few lines of Python code. Docker said the flaw was addressed in Docker Desktop version 4.44.3, released last week. While macOS benefits from OS safeguards, Windows remains the primary concern for host compromise due to the integration with WSL2.