Cybersecurity researchers have disclosed a critical vulnerability, dubbed DockerDash, impacting the AI assistant Ask Gordon, integrated into Docker Desktop and its Command-Line Interface (CLI). This flaw, patched in November 2025, could permit attackers to execute arbitrary code and steal sensitive data by exploiting how the AI processes image metadata.
The vulnerability, detailed by cybersecurity firm Noma Labs, arises from Ask Gordon’s tendency to interpret unverified metadata within Docker images as executable commands. This lack of validation allows malicious instructions, embedded within seemingly innocuous labels, to be forwarded to the Model Context Protocol (MCP) Gateway, which then executes them without further scrutiny, compromising the Docker environment.
DockerDash Vulnerability Exposes AI Supply Chain Risk
The core of the DockerDash vulnerability lies in a failure of contextual trust between the AI assistant and the underlying Docker environment. According to Sasi Levi, security research lead at Noma Labs, the MCP Gateway is unable to differentiate between standard informational metadata and pre-authorized, runnable internal instructions. This allows threat actors to exploit this ambiguity by embedding malicious commands within Docker image metadata fields.
Successful exploitation of DockerDash can lead to critical-impact remote code execution for cloud and CLI systems. For desktop applications, the impact is characterized as high-impact data exfiltration, where an attacker can gather sensitive internal information about a user’s system.
This security lapse underscores the growing concerns surrounding AI supply chain risk. Researchers emphasize that trusted input sources, such as Docker image metadata, can be subtly weaponized to manipulate an AI’s execution path. The vulnerability highlights the need for robust zero-trust validation on all contextual data provided to AI models.
How DockerDash Works
The attack chain leverages a critical trust boundary violation in how Ask Gordon parses container metadata. The process begins with an attacker crafting a malicious Docker image. This image contains carefully constructed, weaponized instructions embedded within the Dockerfile’s LABEL fields. While these labels typically serve descriptive purposes, they become potent vectors when processed by Ask Gordon.
When a victim interacts with Ask Gordon AI about the compromised image, the AI assistant reads the metadata, including all LABEL fields. Crucially, it fails to distinguish between legitimate metadata descriptions and the embedded malicious instructions. Ask Gordon then forwards these parsed instructions to the MCP gateway, a middleware layer connecting AI agents and MCP servers.
The MCP Gateway, interpreting the instructions as a standard request from a presumed trusted source, proceeds to invoke the specified MCP tools without any additional validation. These tools then execute the command with the victim’s Docker privileges, thereby achieving unauthorized code execution.
Furthermore, the data exfiltration aspect of the DockerDash vulnerability exploits the same prompt injection flaw. By targeting Ask Gordon’s Docker Desktop implementation, attackers can leverage its read-only permissions through MCP tools to gather sensitive internal data. This data can include details about installed tools, container configurations, mounted directories, and network topology, providing attackers with a comprehensive overview of the victim’s environment.
It is noteworthy that Ask Gordon version 4.50.0, released in November 2025, also addressed a separate prompt injection vulnerability identified by Pillar Security. That earlier flaw could have allowed attackers to hijack the assistant and exfiltrate sensitive data by tampering with Docker Hub repository metadata.
The implications of DockerDash extend beyond immediate system compromise. It highlights a new class of attacks targeting the intricate integrations between AI assistants and development tools. Moving forward, the focus will remain on how Docker and other software providers implement more rigorous validation protocols for AI-driven interactions, particularly when dealing with external or user-provided data sources.