AI has quickly become embedded in the software supply chain, and Docker’s Ask Gordon assistant is a prime example of how that convenience can open a new attack surface. DockerDash, a vulnerability uncovered by Noma Labs ( Read Here ), shows how a single malicious Docker label can hijack Gordon’s reasoning flow, turning innocuous metadata into executable instructions routed through the Gordon AI → MCP Gateway → MCP Tools pipeline. Depending on whether Gordon runs in a CLI/cloud or desktop context, the same Meta‑Context Injection primitive can yield either full Remote Code Execution via Docker CLI or extensive data exfiltration using read‑only inspection tools.
What makes DockerDash so concerning is not just the specific bug, but the pattern it exposes: AI agents are now blindly trusting context—Docker labels, configs, tool outputs—as if it were safe, pre‑authorized instruction. This breaks traditional trust boundaries and lets attackers weaponize “informational” fields to drive tool calls, stop containers, and leak sensitive environment details, all behind a friendly chat interface. Docker’s mitigations in Desktop 4.50.0—blocking user‑supplied image URLs in Ask Gordon and forcing human confirmation before any MCP tool runs—are an important first step, but the research is a clear warning: AI‑driven pipelines now demand zero‑trust validation on every piece of context they consume.
Reference:
DockerDash: Two Attack Paths, One AI Supply Chain Crisis - https://noma.security/blog/dockerdash-two-attack-paths-one-ai-supply-chain-crisis/