Cybersecurity researchers have disclosed details of a now-patched security flaw impacting Ask Gordon, an artificial intelligence (AI) assistant built into Docker Desktop and the Docker Command-Line Interface (CLI), that could be exploited to execute code and exfiltrate sensitive data.

The critical vulnerability has been codenamed DockerDash by cybersecurity company Noma Labs. It was addressed by Docker in version 4.50.0 released in November 2025.

The flaw exploits how Ask Gordon processes unverified Docker image metadata. Attackers can embed malicious instructions in Dockerfile LABEL fields, which the AI assistant interprets as executable commands without validation. These instructions then propagate through the MCP (Model Context Protocol) Gateway to execute with the victim's Docker privileges.

The attack chain works as follows: 1. Attacker publishes a Docker image with weaponized LABEL instructions 2. Victim queries Ask Gordon about the image 3. Gordon reads metadata fields and forwards parsed instructions to MCP Gateway 4. Gateway invokes MCP tools without additional validation 5. Commands execute with victim's Docker privileges

The impact includes critical-level remote code execution for cloud and CLI systems, high-impact data exfiltration for desktop applications, and access to sensitive environment details, container information, configurations, and network topology.

The vulnerability stems from a "meta-context injection" flaw where the system fails to distinguish between informational metadata and executable internal instructions, representing a failure of contextual trust boundaries.

Version 4.50.0 also addresses a previous prompt injection vulnerability discovered by Pillar Security involving Docker Hub repository metadata tampering.