A critical vulnerability in Docker Desktop versions before 4.44.3 has exposed the Docker Engine API to any running container, creating what security researchers are calling one of the most trivial container escape vulnerabilities ever discovered. The flaw, designated CVE-2025-9074 with a CVSS score of 9.3, allows local Linux containers to access the Docker socket without authentication.
The vulnerability is fucking stupid simple to exploit. Any container can reach the Docker Engine API at the exposed endpoint, typically accessible via SSRF or direct TCP connection to the host's Docker daemon. I tested it myself on a Windows machine running Docker Desktop 4.43.2 - the exploit is straightforward: the container simply needs to know where the Docker socket lives (hint: it's always in the same predictable location), and boom, full host access.
Security researcher Mattia "0xbro" Brollo first disclosed the vulnerability, demonstrating how a malicious container can escape its sandbox by communicating directly with the Docker daemon. The exposed API endpoint means any process running inside a container can perform privileged operations including:
- Creating new containers with host filesystem mounts
- Pulling and executing arbitrary Docker images
- Accessing sensitive host files and directories
- Installing persistence mechanisms
- Pivoting to other containers on the same host
What makes this particularly nasty is that it affects Docker Desktop's default configuration. No special container privileges or capabilities are required - the API exposure happens automatically when Docker Desktop starts up. According to Docker's official security advisory, the vulnerability impacts both Windows and macOS installations of Docker Desktop.
The attack vector is essentially a Server-Side Request Forgery (SSRF) that escalates to Remote Code Execution (RCE). A container can make HTTP requests to the Docker daemon running on the host, authenticate automatically (because there's no fucking authentication), and execute commands with system-level privileges. It's container escape made trivial.
Docker fixed the issue on July 3, 2025 with the release of Docker Desktop 4.44.3, but the vulnerability wasn't publicly disclosed until security researchers started finding it in the wild. The security community reaction has been swift, with many pointing out that this represents a fundamental failure in Docker's isolation model.
For enterprise environments running containerized workloads, this vulnerability represents a complete breakdown of the security boundary between containers and hosts. Any malicious code running inside a container - whether from compromised applications, supply chain attacks, or insider threats - can now trivially escalate to full host control.
The impact extends beyond individual developer machines to CI/CD pipelines, cloud environments, and production systems where Docker Desktop might be used for local development or testing. Organizations using Docker Desktop versions before 4.44.3 should assume their container isolation has been completely compromised.