Docker Model Runner (DMR) stores an SSRF weakness in its OCI registry token exchange flow. The client blindly follows the realm URL provided in the WWW-Authenticate header of the registry response, ignoring scheme, hostname, or IP range checks. A malicious OCI registry can set the realm to an internal address such as http://127.0.0.1:3000/, causing the DMR running on the host to issue arbitrary HTTP GET requests to internal services. The full response body is returned to the caller, and the token exchange mechanism can also forward data from internal services back to the attacker through the Authorization: Bearer header. This allows an attacker to read internal resources and potentially exfiltrate sensitive data. The weakness is classified as CWE‑918 (Server‑Side Request Forgery).

The vulnerability affects Docker Model Runner versions prior to 1.1.25. Docker Desktop users are protected when Enhanced Container Isolation (ECI) is enabled, because it blocks container access to the DMR service. However, if DMR is exposed to localhost over TCP in certain configurations, the SSRF flaw remains exploitable. Any deployment of DMR that does not run the patched version could be impacted.

The CVSS base score is 6.8, indicating a medium severity vulnerability. EPSS is reported as less than 1%, suggesting a low probability of widespread exploitation, and it is not listed in the CISA KEV catalog. The attack requires the attacker to control or influence an OCI registry that the DMR will pull a model from. Once the manipulative registry is accessed, the client’s unvalidated request gives the attacker access to internal network services and the ability to leak internal data. Deployments with local TCP exposure are at the highest risk, while configurations protected by ECI or upgraded to 1.1.25 are safe.