GHSA-GPX9-96J6-PP87: The Call Is Coming From Inside The Container: TaskWeaver's Docker Escape

The Call Is Coming From Inside The Container: TaskWeaver's Docker Escape

Vulnerability ID: GHSA-GPX9-96J6-PP87
CVSS Score: 7.5
Published: 2026-01-28

Microsoft TaskWeaver, a framework for autonomous LLM agents, failed to account for 'magic' DNS entries injected by Docker Desktop and similar runtimes on macOS and Windows. This oversight allows untrusted LLM-generated code running inside a container to bypass network isolation and access services running on the host machine's loopback interface via Server-Side Request Forgery (SSRF).

TL;DR

TaskWeaver sandboxes AI-generated code in Docker. On Mac/Windows, Docker adds hidden DNS records like 'host.docker.internal'. TaskWeaver didn't block them. Result: The AI can attack your local machine's internal services.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-918 (SSRF)
• Secondary CWE: CWE-693 (Protection Mechanism Failure)
• Attack Vector: Network (Prompt Injection)
• CVSS (Est): 7.5 (High)
• Platform: macOS / Windows Containers
• Component: Code Execution Service (CES)

Affected Systems

• Microsoft TaskWeaver
• Docker Desktop (macOS/Windows)
• Podman (macOS/Windows)
• Lima/Colima
• TaskWeaver: < commit d635599 (Fixed in: Commit d635599)

Code Analysis

Commit: d635599

fix: block access to host's localhost via magic domains

+ extra_hosts={
+    "host.docker.internal": "0.0.0.0",
+    "host.containers.internal": "0.0.0.0",
+    "host.lima.internal": "0.0.0.0",
+ },

Exploit Details

• Context Analysis: Exploitation involves standard SSRF techniques utilizing Docker magic domains or gateway IP calculation.

Mitigation Strategies

• Disable 'magic' DNS resolution by null-routing hostnames
• Implement strict egress filtering (iptables) to block access to the host gateway IP
• Run containers in restricted network namespaces
• Ensure all host-side services require authentication

Remediation Steps:

1. Update TaskWeaver to the latest version (post-commit d635599)
2. Verify container configuration explicitly sets extra_hosts for known magic domains to 0.0.0.0
3. Audit code for dynamic gateway IP discovery to prevent bypasses

References

• GHSA Advisory
• Docker Desktop Networking Documentation

---

Read the full report for GHSA-GPX9-96J6-PP87 on our website for more details including interactive diagrams and full exploit analysis.