Cybersecurity researchers have disclosed details of a critical security flaw affecting Ask Gordon, an artificial intelligence assistant integrated into Docker Desktop and the Docker Command Line Interface, which could have been exploited to execute arbitrary code and exfiltrate sensitive data. The vulnerability, now patched, was identified by Noma Labs and assigned the codename DockerDash. Docker addressed the issue with the release of Docker Desktop version 4.50.0 in November 2025, mitigating the risk across desktop, cloud, and CLI environments.
According to Noma Labs, the vulnerability stemmed from how Ask Gordon processes and interprets Docker image metadata. The AI assistant was found to treat unverified metadata labels as executable instructions, allowing malicious input to pass through multiple system layers without validation. In a report shared with media, Sasi Levi, security research lead at Noma Labs, explained that a single malicious metadata label embedded in a Docker image could initiate a three stage attack chain. In this sequence, Ask Gordon reads and interprets the crafted instruction, forwards it to the Model Context Protocol Gateway, and the gateway then executes it using MCP tools. Levi noted that each stage of this process occurred without adequate validation, exposing a critical trust boundary flaw within the current AI agent and MCP Gateway architecture.
Successful exploitation of DockerDash could have resulted in critical impact remote code execution on cloud and CLI systems, while Docker Desktop users faced high impact data exfiltration risks. The issue was characterized as a Meta Context Injection flaw, where contextual data was implicitly trusted and executed without differentiation between descriptive metadata and operational commands. MCP, which serves as a bridge between large language models and the local execution environment, was unable to distinguish between standard Docker LABEL fields and pre authorized internal instructions. By embedding malicious instructions in these metadata fields, attackers could manipulate the AI assistant’s reasoning process and trigger unintended tool execution with the victim’s Docker privileges.
In a hypothetical attack scenario outlined by researchers, a threat actor could publish a Docker image containing weaponized instructions hidden within Dockerfile LABEL fields. When a user queried Ask Gordon about the image, the assistant would parse the metadata and fail to recognize the embedded instructions as malicious. These instructions would then be forwarded to the MCP Gateway, which interpreted them as trusted requests and invoked the corresponding MCP tools without additional checks. As a result, the tools could execute commands in the victim’s environment, leading to unauthorized code execution. The same flaw could also be leveraged for data exfiltration, particularly within Docker Desktop, by abusing the assistant’s read only permissions to collect sensitive information such as installed tools, container configurations, mounted directories, Docker settings, and network topology.
DockerDash also highlighted broader risks associated with AI assisted development environments and supply chain security. Researchers emphasized that trusted input sources, including metadata from container images, can be abused to carry hidden malicious payloads that influence AI driven execution paths. Noma Labs noted that mitigating this class of threats requires strict zero trust validation of all contextual data supplied to AI systems. Docker Desktop version 4.50.0 also addressed a separate prompt injection issue previously identified by Pillar Security, which involved malicious instructions embedded in Docker Hub repository metadata. Together, these findings underscore the growing need for stronger safeguards around AI integrations in developer tooling, particularly where automated reasoning intersects with privileged execution environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
