CVE-2025-10657: 
Docker Desktop vulnerability analysis and mitigation

A vulnerability was discovered in Docker Desktop 4.46.0 affecting the Enhanced Container Isolation (ECI) feature. The vulnerability (CVE-2025-10657) was disclosed on September 26, 2025, where the command restrictions feature for containers with Docker socket mounts failed to properly restrict commands when passed to ECI. This security flaw affects only Docker Desktop 4.46.0 users who have ECI enabled and are using the Docker socket command restrictions feature (Docker Release Notes, NVD).

The vulnerability stems from a software bug where the configuration to restrict commands was ignored when passed to Enhanced Container Isolation (ECI), effectively allowing any command to be executed on the Docker socket. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. The vulnerability is classified under CWE-269 (Improper Privilege Management) (NVD).

The vulnerability grants excessive privileges by permitting unrestricted access to powerful Docker commands. Since ECI restricts mounting the Docker socket into containers by default, the impact is limited to containers which are explicitly allowed by the administrator to mount the Docker socket (NVD).

The vulnerability was fixed in Docker Desktop 4.47.0 released on September 25, 2025. Users are advised to upgrade to this version or later to address the security issue (Docker Release Notes).