Docker Model Runner MLX Inference Backend Arbitrary Code Execution Vulnerability on macOS

A vulnerability in the MLX inference backend of Docker Model Runner for macOS allows for arbitrary code execution on the Docker host. This issue arises because the MLX-LM library indiscriminately imports and executes Python files from model directories, as specified in the model_file configuration field of config.json. The MLX backend operates without sandboxing, enabling any container on the Docker network to exploit this vulnerability by invoking the model-runner.docker.internal API to fetch a malicious model from an attacker-controlled OCI registry and request inference.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the Docker host, executed as the Docker Desktop user.

Reproduction

To reproduce this vulnerability, upload a malicious model to an OCI registry that you control. Ensure that the model's config.json file includes a model_file entry pointing to a Python file. Then, from any container on the Docker network, call the model-runner.docker.internal API to request inference with the malicious model. The MLX backend will import and execute the Python file on the Docker host, leading to arbitrary code execution.