CVE-2025-4095: 
Docker Desktop vulnerability analysis and mitigation

Registry Access Management (RAM) is a security feature in Docker Desktop that contains a vulnerability (CVE-2025-4095) discovered and disclosed on April 29, 2025. The vulnerability occurs when a MacOS configuration profile is used to enforce organization sign-in, causing RAM policies not to be applied. This affects Docker Desktop installations on MacOS systems (Docker Docs, MITRE CVE).

The vulnerability stems from a failure in the Registry Access Management (RAM) system when specifically used in conjunction with MacOS configuration profiles for organization sign-in enforcement. Under normal circumstances, RAM should restrict Docker Desktop users to pulling images only from approved registries. The vulnerability has been assigned a CVSS v4.0 Base Score of 4.3 (MEDIUM) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N (NVD).

When exploited, the vulnerability allows Docker Desktop users to circumvent registry access restrictions and pull images from any registry, regardless of whether it has been approved by their organization's administrators. This bypass could lead to the introduction of unapproved or potentially malicious container images into the organization's environment (Wiz).

Organizations should monitor for updates from Docker that address this vulnerability. In the interim, administrators should consider implementing additional controls at the network level to restrict access to unauthorized registries. Organizations may also consider implementing alternative methods for enforcing organization sign-in that don't rely on MacOS configuration profiles (Docker Docs).