Kaspersky, a global cybersecurity firm that provides threat intelligence and security software, released research indicating that nearly two-thirds of analyzed Docker Hub images contained critical security vulnerabilities. The security vendor utilized its Kaspersky Container Security platform, which incorporates an artificial intelligence assistant called KIRA, to scan the container registries. Docker Hub, a container registry utilized by developers, processes more than 11 billion image pulls per month.
The research team analyzed 100 randomly selected Docker Hub images, focusing on distributions that recorded up to one million downloads. The analysis found that 64 of the 100 images contained critical vulnerabilities that would permit an attacker to execute remote code, crash server processes or gain root privileges. The data showed that only 10 percent of the scanned images were fully updated.
Pre-built Docker images require manual rebuilding and redeployment for security patching, unlike traditional servers that utilize automated update systems. This manual requirement results in outdated images remaining in active use, according to the researchers.
The vendor noted that compromised containers allow attackers to execute distributed denial-of-service attacks, mine cryptocurrency or proxy network traffic. A hijacked container also presents risks for lateral movement, where an attacker could access neighboring containers or attempt to breach the broader enterprise network to steal or destroy data.
The report detailed several configuration vulnerabilities that persist even in fully patched container images. The researchers identified the insecure handling of credentials as a primary risk. In some configurations, developers set default passwords through environment variables or directly within a Dockerfile. Attackers can access applications if developers fail to override these default settings. The research also noted that passing passwords through command-line arguments exposes credentials to all users on the host system.
Another vector identified by the researchers involves privilege escalation within the container environment. Initial compromises of Linux systems often occur through remote code execution in web applications and network services.
While minimal privileges usually restrict these services, gaining root access inside a container allows an attacker to control internal processes and attempt container escapes. The report stated that common escalation methods include insecurely configured file permissions and the execution of arbitrary commands as root without a password via sudo.
The analysis also highlighted a lack of integrity checks during software downloads. The researchers warned that downloading software over the HTTP protocol without verifying the integrity of the archive creates conditions for man-in-the-middle attacks during the image build phase. If an attacker controls the domain name system or communication channel, they can replace the intended archive with malicious content, thereby compromising the container environment.
