Docker fixes DockerDash vulnerability that threatens AI assistant Ask Gordon.
The DockerDash security vulnerability has just been patched in Docker Desktop version 4.50.0, preventing the risk of unauthorized code execution and data theft through AI assistants.
The DockerDash security vulnerability is a critical Meta-Context Injection flaw affecting the Ask Gordon AI assistant in Docker Desktop and Docker CLI. This vulnerability allows attackers to execute unauthorized code and steal sensitive data through Docker image metadata without authentication.
Researchers at Noma Labs discovered this vulnerability, and Docker officially released a patch in version 4.50.0 in November 2025.
Exploitation mechanism via Meta-Context Injection
According to Noma Security, the root cause of DockerDash lies in Ask Gordon's treatment of unverified metadata as valid commands. An attacker can create a Docker image containing malicious commands embedded within the field.LABELof the Dockerfile. When a user asks Ask Gordon a question about this image, the AI will analyze and interpret the malicious directive as a normal control command.
Ask Gordon then forwards this content to the MCP Gateway (Model Context Protocol). Because the Gateway cannot distinguish between descriptive labels and internal commands, it executes the code through the MCP tools with the user's administrative privileges without requiring any additional authentication steps.
Risks of code execution and system data leaks.
The DockerDash attack is particularly dangerous because it exploits Docker's existing architecture. In addition to remote code execution, attackers can leverage AI assistants to collect sensitive data within the Docker Desktop environment. The exposed information could include container details, system configurations, mounted directories, and internal network architecture.
Notably, version 4.50.0 not only patches DockerDash but also fixes another prompt injection vulnerability discovered by Pillar Security. This vulnerability previously allowed attackers to gain control of AI through repository metadata on Docker Hub.
Zero-Trust security and authentication recommendations
Sasi Levi, an expert from Noma Security, believes DockerDash serves as a warning about the risks of AI supply chains. Input sources that were previously considered completely trustworthy can be exploited to manipulate the execution flow of large model language (LLM).
To minimize risks, users should update Docker Desktop to the latest version immediately. Experts recommend that applying zero-trust validation to all contextual data provided to AI models is mandatory to ensure system security.
