प्लेटफ़ॉर्म
docker
घटक
docker-desktop
में ठीक किया गया
4.46.1
CVE-2025-10657 is a security vulnerability affecting Docker Desktop versions 4.46.0–4.46.0 when Enhanced Container Isolation (ECI) is enabled. This flaw allows containers with a Docker socket mount to execute arbitrary commands, bypassing intended restrictions. The vulnerability arises from a bug where command restrictions configured within ECI are ignored, effectively nullifying the security benefits of ECI. A fix is expected in a future Docker Desktop release.
The impact of CVE-2025-10657 is significant in hardened Docker environments leveraging ECI. Attackers who can gain access to a container with a mounted Docker socket can exploit this bypass to execute commands as root on the host system. This grants them complete control over the Docker host, enabling data exfiltration, malware deployment, and lateral movement within the network. The blast radius extends to any services or applications running on the Docker host, potentially compromising the entire infrastructure. This vulnerability effectively undermines the core security promise of ECI, which is designed to isolate containers and limit their access to the host system.
CVE-2025-10657 was publicly disclosed on 2025-09-26. The vulnerability's impact is amplified by the reliance on ECI for security in hardened environments. Public proof-of-concept exploits are anticipated given the ease of exploitation. It is not currently listed on the CISA KEV catalog, but its potential for widespread impact warrants close monitoring. Active exploitation campaigns are possible, particularly targeting organizations that have deployed ECI without proper configuration validation.
Organizations heavily reliant on Docker Desktop for development or production environments, particularly those employing ECI for enhanced security, are at significant risk. Shared hosting environments where multiple users have access to Docker containers are also vulnerable. Legacy Docker deployments using older configurations may be more susceptible.
• docker / container:
# Check for Docker Desktop version 4.46.0
docker version• docker / container:
# Inspect ECI configuration (if applicable)
docker system info | grep -i "enhanced container isolation"• linux / server:
# Monitor Docker daemon logs for unusual command executions
journalctl -u docker -fdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (4% शतमक)
CISA SSVC
The primary mitigation for CVE-2025-10657 is to upgrade to a patched version of Docker Desktop as soon as it becomes available. Until a patch is released, consider implementing stricter network segmentation to isolate the Docker host from other critical systems. Restrict network access to the Docker socket to only trusted containers. Review and audit existing ECI configurations to ensure they are not inadvertently weakened by this bypass. Monitor Docker host logs for suspicious activity related to container execution. After upgrading, confirm the fix by attempting to execute a restricted command within an ECI-enabled container and verifying that the restriction is enforced.
Actualizar Docker Desktop a una versión posterior a la 4.46.0. Esta actualización corrige la vulnerabilidad que permite la ejecución de comandos sin restricciones en el socket de Docker cuando ECI está habilitado y se utilizan las restricciones de comandos.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-10657 is a vulnerability in Docker Desktop versions 4.46.0–4.46.0 where command restrictions within Enhanced Container Isolation (ECI) are ignored, allowing unrestricted command execution.
If you are running Docker Desktop version 4.46.0–4.46.0 with ECI enabled, you are potentially affected by this vulnerability.
Upgrade to a patched version of Docker Desktop as soon as it becomes available. Until then, implement stricter network segmentation and restrict access to the Docker socket.
While no active exploitation has been confirmed, the ease of exploitation suggests that active campaigns are possible.
Refer to the official Docker security advisories on the Docker website for updates and mitigation guidance.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी Dockerfile फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।