DOCKER Desktop’s built‑in Ask Gordon AI suffered a critical flaw dubbed DockerDash, which could enable remote code execution and data exfiltration through malicious image metadata, researchers disclosed. Docker released a patch in version 4.50.0 in November 2025 to address the issue. According to Noma Labs, DockerDash works when a malicious metadata label in a Docker image is read by Gordon AI, forwarded to the MCP Model Context Protocol Gateway, and then executed by MCP tools, with zero validation at each stage.
The attack hinges on Ask Gordon treating unverified metadata as executable commands, exploiting a trust boundary between a large language model and the local environment, and allowing an attacker to hijack the AI’s execution path and potentially access internal data. A threat actor could craft a Docker image with embedded, runnable instructions in Dockerfile LABEL fields, triggering code execution when a victim queries Ask Gordon about the image.