OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • docker
  • container
  • escape
  • exploitarium

news

Docker cp Copy-Out Destination Escape

Container races host `docker cp` copy-out so extraction writes sibling path outside requested destination — validated on Engine 29.6.0.

Summary

Container races host docker cp copy-out so extraction writes sibling path outside requested destination — validated on Engine 29.6.0. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetDocker Client/Server 29.6.0
PrimitiveTar stream extraction race against sibling prefix paths (dst vs dst2)
ImpactContainer-controlled file write outside operator-selected host destination when copy-out races.

Attack Chain

Host runs docker cp → container padding + raced path → marker under dst2/

Mitigation

Avoid copy-out from untrusted containers to sensitive host trees; isolate operator workflows.

Related Signals

Sources

→ Source