## Docker Socket ':ro' Mount Exposes Root-Level Host Access Risk in Vaier, Traefik Containers A security misconfiguration in the docker-compose deployment of Vaier and Traefik creates a critical privilege escalation path. Both containers mount the Docker socket as /var/run/docker.sock:/var/run/docker.sock:ro, relying on the :ro flag to enforce read-only access. However, this approach fails to achieve its intended protection: the :ro mount only restricts modifications to the socket file node itself, while the Docker HTTP API served over that socket remains fully accessible. An attacker with code execution inside either container retains unrestricted read, write, exec, container-create, and privileged capabilities through the Docker API. Compounding this issue, the Dockerfile runtime stage lacks a USER directive, causing the container process to execute as root by default. When combined with the unrestricted Docker API access, this creates a direct path from a single code-execution vulnerability to host-level root compromise. An attacker who compromises Vaier through an earlier security flaw would gain root inside the container, then immediately escalate to host root by executing docker exec into any container or running docker run --privileged with arbitrary options. The :ro flag provides a false sense of safety without materially limiting the attack surface. The recommended remediation involves a two-layer privilege drop. First, adding a dedicated non-root user to the Dockerfile runtime stage using useradd -u 1000 -m -s /usr/sbin/nologin vaier followed by a USER 1000:1000 directive limits the impact of any container compromise. Second, volume ownership for config directories should be adjusted to match the new UID to ensure proper access. Organizations running this stack face elevated risk until the Dockerfile is hardened and the socket mount is either removed or replaced with a read-only API proxy if container management capabilities are actually required. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: docker-security, container-escalation, privilege-escalation, docker-socket, root-access - **Credibility**: unverified - **Published**: 2026-05-04 10:54:07 - **ID**: 79246 - **URL**: https://whisperx.ai/en/intel/79246