【資安漏洞預警】Docker Windows版存在SSRF漏洞(CVE-2025-9074)

【行政公告】

公告單位	圖資處數位服務組
訊息類別	行政公告行政公告	公告對象	全體
公告主題	【資安漏洞預警】Docker Windows版存在SSRF漏洞(CVE-2025-9074) [Security Vulnerability Alert] Docker for Windows has a SSRF vulnerability (CVE-2025-9074)
公告內容	轉發台灣電腦網路危機處理暨協調中心 TWCERTCC-200-202508-00000015 [內容說明] Docker Windows桌機版是一款在Windows系統上運行的容器管理工具，透過容器技術簡化應用部署與管理。Docker發布重大資安漏洞更新公告(CVE-2025-9074，CVSS 4.x：9.3)並釋出更新版本，此為伺服器請求偽造(SSRF)漏洞，允許攻擊者利用API執行各種特權指令，包括控制其他容器、管理映像等，此外，該漏洞還允許與執行Docker Desktop 的使用者以相同的權限掛載主機磁碟機。 [影響平台] Docker Desktop 4.44.3(不含)之前版本　 [建議措施] 更新至 Docker Desktop 4.44.3(含)之後版本 [參考資料] 1. https://docs.docker.com/desktop/release-notes/#4443 2. https://nvd.nist.gov/vuln/detail/CVE-2025-9074 Forwarded by Taiwan Computer Network Crisis Management and Coordination Center (TWCERTCC-200-202508-00000015) [Description] Docker for Windows Desktop is a container management tool that runs on Windows systems and simplifies application deployment and management through container technology. Docker has released a critical security vulnerability update (CVE-2025-9074, CVSS 4.x:9.3) and an updated version. This vulnerability, a Server Request Forgery (SSRF) vulnerability, allows attackers to exploit the API to execute various privileged commands, including controlling other containers and managing images. Furthermore, this vulnerability allows attackers to mount host drives with the same permissions as the user running Docker Desktop. [Affected Platforms] Docker Desktop versions prior to (not including) 4.44.3 [Recommended Action] Update to Docker Desktop version 4.44.3 or later. [References] 1. https://docs.docker.com/desktop/release-notes/#4443 2. https://nvd.nist.gov/vuln/detail/CVE-2025-9074
相關訊息	參考資料1 參考資料2
公告時間	2025/8/27 至 2026/2/27	點閱次數	37