A critical Docker Desktop security flaw puts Windows hosts at risk of attack, so patch now

• Researchers find 9.3/10 flaw in Docker Desktop for Windows and macOS
• The bug allows threat actors to compromise underlying hosts and tamper with data
• A fix was quickly released, so users should patch now

Docker has patched a critical severity vulnerability in its Desktop app for Windows and macOS which could have allowed threat actors to fully take over vulnerable hosts, exfiltrate sensitive data, and more.

The vulnerability is described as a server-side request forgery (SSRF) and, according to the NVD, it “allows local running Linux containers to access the Docker Engine API via the configured Docker subnet.”

“A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted,” Docker said in a follow-up security advisory. “This could allow unauthorized access to user files on the host system. Enhanced Container Isolation (ECI ...