轉發 台灣電腦網路危機處理暨協調中心 TWCERTCC-200-202508-00000015

[內容說明]
Docker Windows桌機版是一款在Windows系統上運行的容器管理工具，透過容器技術簡化應用部署與管理。Docker發布重大資安漏洞更新公告(CVE-2025-9074，CVSS 4.x：9.3)並釋出更新版本，此為伺服器請求偽造(SSRF)漏洞，允許攻擊者利用API執行各種特權指令，包括控制其他容器、管理映像等，此外，該漏洞還允許與執行Docker Desktop 的使用者以相同的權限掛載主機磁碟機。

[影響平台]
Docker Desktop 4.44.3(不含)之前版本 　

[建議措施]
更新至 Docker Desktop 4.44.3(含)之後版本

[參考資料]
1. https://docs.docker.com/desktop/release-notes/#4443
2. https://nvd.nist.gov/vuln/detail/CVE-2025-9074

Forwarded by Taiwan Computer Network Crisis Management and Coordination Center (TWCERTCC-200-202508-00000015)

[Description]
Docker for Windows Desktop is a container management tool that runs on Windows systems and simplifies application deployment and management through container technology. Docker has released a critical security vulnerability update (CVE-2025-9074, CVSS 4.x:9.3) and an updated version. This vulnerability, a Server Request Forgery (SSRF) vulnerability, allows attackers to exploit the API to execute various privileged commands, including controlling other containers and managing images. Furthermore, this vulnerability allows attackers to mount host drives with the same permissions as the user running Docker Desktop.

[Affected Platforms]
Docker Desktop versions prior to (not including) 4.44.3

[Recommended Action]
Update to Docker Desktop version 4.44.3 or later.

[References]
1. https://docs.docker.com/desktop/release-notes/#4443
2. https://nvd.nist.gov/vuln/detail/CVE-2025-9074