Cybersecurity researchers have disclosed particulars of a now-patched safety flaw impacting Ask Gordon, a synthetic intelligence (AI) assistant constructed into Docker Desktop and the Docker Command-Line Interface (CLI), that might be exploited to execute code and exfiltrate delicate information.
The essential vulnerability has been codenamed DockerDash by cybersecurity firm Noma Labs. It was addressed by Docker with the discharge of model 4.50.0 in November 2025.
“In DockerDash, a single malicious metadata label in a Docker picture can be utilized to compromise your Docker surroundings by means of a easy three-stage assault: Gordon AI reads and interprets the malicious instruction, forwards it to the MCP [Model Context Protocol] Gateway, which then executes it by means of MCP instruments,” Sasi Levi, safety analysis lead at Noma, stated in a report shared with The Hacker Information.
“Each stage occurs with zero validation, making the most of present brokers and MCP Gateway structure.”
Profitable exploitation of the vulnerability might lead to critical-impact distant code execution for cloud and CLI programs, or high-impact information exfiltration for desktop functions.
The issue, Noma Safety stated, stems from the truth that the AI assistant treats unverified metadata as executable instructions, permitting it to propagate by means of totally different layers sans any validation, permitting an attacker to sidestep safety boundaries. The result’s {that a} easy AI question opens the door for software execution.
With MCP appearing as a connective tissue between a big language mannequin (LLM) and the native surroundings, the problem is a failure of contextual belief. The issue has been characterised as a case of Meta-Context Injection.
“MCP Gateway can not distinguish between informational metadata (like a regular Docker LABEL) and a pre-authorized, runnable inner instruction,” Levi stated. “By embedding malicious directions in these metadata fields, an attacker can hijack the AI’s reasoning course of.”
In a hypothetical assault state of affairs, a risk actor can exploit a essential belief boundary violation in how Ask Gordon parses container metadata. To perform this, the attacker crafts a malicious Docker picture with embedded directions in Dockerfile LABEL fields.
Whereas the metadata fields could seem innocuous, they turn out to be vectors for injection when processed by Ask Gordon AI. The code execution assault chain is as follows –
- The attacker publishes a Docker picture containing weaponized LABEL directions within the Dockerfile
- When a sufferer queries Ask Gordon AI in regards to the picture, Gordon reads the picture metadata, together with all LABEL fields, making the most of Ask Gordon’s incapability to distinguish between legit metadata descriptions and embedded malicious directions
- Ask Gordon to ahead the parsed directions to the MCP gateway, a middleware layer that sits between AI brokers and MCP servers.
- MCP Gateway interprets it as a regular request from a trusted supply and invokes the required MCP instruments with none further validation
- MCP software executes the command with the sufferer’s Docker privileges, reaching code execution
The info exfiltration vulnerability weaponizes the identical immediate injection flaw however takes purpose at Ask Gordon’s Docker Desktop implementation to seize delicate inner information in regards to the sufferer’s surroundings utilizing MCP instruments by making the most of the assistant’s read-only permissions.
The gathered info can embrace particulars about put in instruments, container particulars, Docker configuration, mounted directories, and community topology.
It is value noting that Ask Gordon model 4.50.0 additionally resolves a immediate injection vulnerability found by Pillar Safety that would have allowed attackers to hijack the assistant and exfiltrate delicate information by tampering with the Docker Hub repository metadata with malicious directions.
“The DockerDash vulnerability underscores your must deal with AI Provide Chain Danger as a present core risk,” Levi stated. “It proves that your trusted enter sources can be utilized to cover malicious payloads that simply manipulate AI’s execution path. Mitigating this new class of assaults requires implementing zero-trust validation on all contextual information offered to the AI mannequin.”
