Docker Patches Critical 'DockerDash' Flaw in Ask Gordon AI Assistant
Take action: Treat all AI-processed metadata as untrusted code and ensure you update Docker Desktop and Docker CLI to version 4.50.0 to enable mandatory user confirmation for AI actions. This update prevents automated attacks that turn simple AI queries into dangerous system commands.
Learn More
Docker released a security update for its Ask Gordon AI assistant to fix a critical vulnerability that allows attackers to run code or steal data through malicious image metadata.
The flaw, dubbed DockerDash, affects both Docker Desktop and the Docker Command-Line Interface (CLI). It exploits a failure in how the AI agent handles the Model Context Protocol (MCP), which connects the large language model to the local system environment.
Vulnerabilities summary:
- DockerDash (no CVE, CVSS score 9.8) - A meta-context injection vulnerability that allows unauthenticated attackers to run arbitrary commands. The attack works by embedding malicious instructions into
DockerfileLABELfields; when a user queries the AI about the image, the assistant interprets these labels as legitimate tasks and forwards them to the MCP Gateway. Because the gateway lacks validation, it executes the commands with the victim's system privileges, enabling full remote code execution. - Prompt Injection (no CVE, CVSS score 8.8) - A secondary vulnerability where attackers can hijack the AI assistant by placing malicious instructions in Docker Hub repository metadata. This flaw allows the AI to be manipulated into exfiltrating sensitive environment data to external servers. The bypass works because the assistant treats repository descriptions as trusted context rather than untrusted user input.
The impact of these vulnerabilities depends on the Docker environment in use. In CLI and cloud-based systems, the flaw leads to remote code execution, allowing attackers to stop containers, modify configurations, or run OS-level commands.
In Docker Desktop, the AI operates with read-only permissions, which limits the attack to data theft of environment variables, secrets, Docker configurations, running container details and image metadata
The vulnerability affects all versions of Docker Desktop and Docker CLI featuring the Ask Gordon AI assistant (beta) prior to version 4.50.0.
To fix these issues, users should update to Docker Desktop version 4.50.0 or later. The update introduces a "Human-In-The-Loop" (HITL) control that requires users to manually approve any tool execution requested by the AI.
Docker now blocks the assistant from rendering user-provided URLs in metadata, which stops the primary method used for data exfiltration.
