Docker Desktop for macOS vulnerability allows malicious images to be installed

Jump to First Reply
AppleInsiderAppleInsider
Posted:
in macOS

Docker Desktop for macOS, the management tool for the app container system, has an authorization vulnerability that can be used for malicious purposes.

Docker Desktop has a vulnerability in authorization on macOS.
CVE-2025-4095 is a Docker Desktop vulnerability on macOS.



A security flaw has been discovered in Docker Desktop, registered under the CVE code CVE-2025-4095

Specifically, CVE-2025-4095 describes a security vulnerability in Docker Desktop that affects Registry Access Management (RAM). This refers to a security feature that lets administrators restrict the access for developers within their organization to only allowed registries.

The listing explains that, when a macOS configuration profile is used to enforce the organizational sign-in, RAM polices are not being applied. The result is that those Docker Desktop users can pull down unauthorized images from the registry, opening the door to malicious images being used.

CVE-2025-4095 is classified as a "Medium" severity threat which means it could have the potential to disrupt communications or business.

For its part, Docker has released a fix in Docker Desktop version 4.41, which is available to download now. The simple fix for this is for administrators to update the affected Docker Desktop installation to the newest version.

What is Docker?



One of the earliest and most popular container systems, Docker is a tool for the development and deployment of apps and environments. The containers are systems for bundling development environments, build systems, apps, and deployment info into one file.

As well as creating the file, known as an "image," Docker also handles the environments needed to run them, too.

The biggest benefit of containers is that they include everything needed for development and deployment, which vastly reduces the time needed to configure and provision systems needed to run apps.

Various registries exist that allow the cataloging and storing of container images in one central location. This is sort of like GitHub, but for container images instead of for code itself.

There are registries run by container companies such as Docker's DockerHub, and there are third-party ones from other companies and organizations such as Amazon ECR, Google, and Microsoft's Azure.

In order for users to access and download container images, a login to each registry is usually required.

Docker also provides a macOS app called Docker Desktop, which helps users download and update container images on their Macs. One of the features of Docker Desktop is the ability to log in and access container images using credentials defined in a configuration file.

For more information, the Docker website has documentation on Registry Access Management.

Also see CWE-862: Missing Authorization (4.17), which details the kind of vulnerability that the classification of this security issue denotes.



Read on AppleInsider

Sign In or Register to comment.