Full Report
Cybersecurity researchers have disclosed details of a now-patched security flaw impacting Ask Gordon, an artificial intelligence (AI) assistant built into Docker Desktop and the Docker Command-Line Interface (CLI), that could be exploited to execute code and exfiltrate sensitive data. The critical vulnerability has been codenamed DockerDash by cybersecurity company Noma Labs. It was addressed by
Analysis Summary
# Vulnerability: DockerDash - Code Execution via Malicious Ask Gordon AI Metadata
## CVE Details
- **Note:** CVE ID and official CVSS score were **not explicitly provided** in the source material. The vulnerability is codenamed "DockerDash."
- CVE ID: N/A (Implied TBD)
- CVSS Score: N/A (Described as "critical")
- CWE: Likely related to Injection (e.g., CWE-74: Improper Neutralization of Special Elements in Output Used by a Command ('Command Injection'))
## Affected Systems
- **Products:** Ask Gordon AI assistant (built into Docker Desktop and Docker CLI).
- **Versions:** Versions prior to Docker Desktop version 4.50.0.
- **Configurations:** Any environment utilizing the Ask Gordon AI assistant where untrusted Docker images are queried.
## Vulnerability Description
The vulnerability, dubbed "DockerDash," is an instance of **Meta-Context Injection** within the Ask Gordon AI assistant. It exploits a critical trust boundary violation where the AI misinterprets unverified metadata—specifically Dockerfile `LABEL` fields—as executable instructions.
The flaw resides in how Ask Gordon parses container metadata and forwards information to the Model Context Protocol (MCP) Gateway. The MCP Gateway executes these instructions via MCP tools without adequate validation, treating metadata received from the AI as a trusted request.
Successful exploitation allows an attacker to:
1. **Remote Code Execution (RCE):** On cloud/CLI systems, by embedding malicious instructions in image labels that are then executed with the victim's Docker privileges.
2. **Sensitive Data Exfiltration:** On Docker Desktop, by weaponizing a prompt injection flaw to gather sensitive environment details (installed tools, container details, configurations, network topology) using MCP tools with read-only permissions.
## Exploitation
- **Status:** Details suggest the vulnerability was disclosed and patched. Status is assumed to be **PoC available** given the detailed technical disclosure by Noma Labs.
- **Complexity:** Not explicitly rated, but the attack chain suggests **Medium** complexity (requiring image creation, publication, and social engineering/interaction with the victim who queries the AI).
- **Attack Vector:** Primarily **Local/Network Interaction** (through querying a malicious image's metadata).
## Impact
- **Confidentiality:** **High/Critical** (Data exfiltration of environment secrets on desktop, potential system compromise on CLI).
- **Integrity:** **Critical** (Remote Code Execution possible).
- **Availability:** Information not explicitly detailed, likely **Low to Medium** (focused on compromise rather than Denial of Service).
## Remediation
### Patches
- **Patches:** Docker addressed this vulnerability with the release of **version 4.50.0** (released November 2025).
* *Note: Version 4.50.0 also resolves a separate prompt injection via Docker Hub metadata.*
### Workarounds
- No specific temporary workarounds were explicitly listed in the provided text, other than necessary actions related to image provenance or disabling the feature if possible prior to patching. *The primary mitigation is immediate patching.*
## Detection
- **Indicators of Compromise (IOCs):** Suspicious executions initiated by MCP tools following an AI query about a specific Docker image. Excessive network activity or file access immediately following an Ask Gordon interaction.
- **Detection Methods and Tools:** Monitoring system logs for unexpected command execution linked to Docker or the AI/MCP gateway process initiated after an image metadata query.
## References
- Vendor Advisory: Docker Desktop release notes for version 4.50.0 (available at docs dot docker dot com/desktop/release-notes/#4500)
- Research Disclosure: noma dot security/blog/dockerdash-two-attack-paths-one-ai-supply-chain-crisis/ (defanged)