DockerDash Exposes AI Supply Chain Weakness In Docker's Ask Gordon

The rise of AI‑driven development assistants has introduced new attack surfaces that extend beyond traditional code vulnerabilities. Docker’s Ask Gordon, an AI chat interface embedded in Docker Desktop and CLI, was designed to simplify container management by interpreting image metadata and invoking the Model Context Protocol (MCP) gateway. Researchers at Noma Labs uncovered a critical flaw, dubbed DockerDash, that turns unverified Docker LABEL fields into executable instructions. This meta‑context injection demonstrates how AI agents can be weaponized when they trust data without validation, exposing the broader AI supply‑chain risk.

The exploit follows a three‑stage chain: Ask Gordon reads a malicious LABEL, forwards the interpreted command to the MCP gateway, and the gateway executes it through MCP tools. In cloud or command‑line environments the chain culminates in remote code execution, granting attackers full control over the host. On Docker Desktop, where Ask Gordon runs with read‑only privileges, the same vector pivots to large‑scale data exfiltration and reconnaissance, leaking container configurations, environment variables, and network details. Because the vulnerability bypasses traditional software bugs, existing security controls often miss it.

Docker responded quickly, confirming the issue on October 13, 2025 and releasing Docker Desktop 4.50.0 on November 6, 2025. The patch disables rendering of user‑provided image URLs and adds a mandatory user confirmation step before any MCP tool invocation, effectively inserting a human‑in‑the‑loop safeguard. Organizations should prioritize upgrading and audit AI‑driven tooling for similar meta‑context injection risks. The DockerDash case underscores the need for rigorous validation of all AI‑supplied context, a practice that will become essential as AI agents permeate software supply chains.