Cybersecurity researchers have uncovered a critical security flaw affecting Docker’s Ask Gordon AI assistant, revealing how unverified metadata is translated into executable instructions.
Dubbed DockerDash by Noma Labs, the issue exposes weaknesses across the entire AI execution chain, from model interpretation to tool execution, and highlights new risks as AI agents are embedded deeper into development workflows.
This research shows that a single malicious metadata label in a Docker image can compromise a Docker environment through a three-step process.
Ask Gordon reads the metadata, forwards the interpreted instructions to the Model Context Protocol (MCP) gateway, and executes the instructions through the MCP tool. Metadata is not validated at any point. This failure of trust allows attackers to bypass security boundaries without exploiting traditional software bugs.
Two vulnerability paths from one defect
Noma Labs has identified shared attack vectors that produce different results depending on how Docker is deployed.
In cloud and command-line (CLI) environments, this flaw allows remote code execution (RCE) with high impact. In Docker Desktop, where Ask Gordon runs with read-only privileges, the same technique enables data exfiltration and reconnaissance at scale.
Read more about AI supply chain security: Precision becomes the new strategy for software supply chain attacks
At the core of DockerDash is what Noma Labs calls metacontext injection. Although the MCP Gateway is designed to pass context information to a larger language model, it cannot distinguish between descriptive metadata and pre-approved internal instructions.
By embedding commands within seemingly innocuous Docker LABEL fields, attackers can manipulate the AI’s reasoning and turn context into actions.
Data extraction and mitigation strategies
The effects vary depending on the environment, but remain severe in both cases.
-
RCE with Docker CLI commands in cloud or local CLI setups
-
Publishing container configurations, environment variables, and network settings
-
Enumerating installed MCP tools, images, and system configuration data
In Docker Desktop, attackers can also steal collected data by instructing Ask Gordon to embed data in outgoing requests, bypassing controls that focus on executing commands rather than unauthorized reads.
Noma Labs reported this issue to Docker on September 17, 2025. Docker confirmed this vulnerability on October 13th and addressed it in Docker Desktop version 4.50.0, released on November 6th, 2025. It was then opened to the public earlier today.
Docker has implemented two important mitigations. Ask Gordon no longer renders user-specified image URLs, blocking one exfiltration path. Additionally, explicit user confirmation is required before invoking the MCP tool, introducing a human safety mechanism.
We strongly recommend that users upgrade to Docker Desktop 4.50.0 or later to reduce their exposure to this new type of AI-driven supply chain attack.
