Docker Model Runner Server-Side Request Forgery Vulnerability in OCI Registry Token Exchange

A server-side request forgery (SSRF) vulnerability has been identified in Docker Model Runner (DMR) versions prior to 1.1.25. This vulnerability arises in the OCI registry token exchange process, where Model Runner fails to properly validate the scheme, hostname, or IP range of the realm URL specified in the registry's WWW-Authenticate header. As a result, a malicious OCI registry could direct Model Runner to an internal URL, prompting it to make arbitrary GET requests to local services. The full response from these internal services would be reflected back to the caller. Furthermore, the token exchange mechanism could transmit data from these internal services back to the attacker-controlled registry via the Authorization: Bearer header.

Impact

Exploitation of this vulnerability allows an unprivileged container or a malicious OCI registry to make GET requests to host-local services, including localhost and internal network resources. This could lead to unauthorized access to sensitive information or services running on the host.

Remediation

Users should update Docker Model Runner to version 1.1.25 or later. For Docker Desktop users, version 4.67.0 or later includes the fixed Model Runner. Additionally, enabling Enhanced Container Isolation (ECI) can block container access to Model Runner, although this vulnerability may still be exploitable if Docker Model Runner is exposed to localhost over TCP in certain configurations.