DockerDash: when Docker metadata become executable instructions and the IA is exposed to Meta-Context Injection

A serious vulnerability that affected Ask Gordon, the artificial intelligence assistant integrated in the Docker Desktop and Docker's CLI. Security investigators named the failure as DockerDash and showed that, with a relatively simple technique, an attacker could convert apparently harmless metadata into executable instructions that ended up running in the victim's environment or extracting sensitive information.

The failure was described and analyzed by the Noma Labs team in a technical report that documents how a malicious label in the metadata of a Docker image (for example, a LABEL field in the Dockerfile) can be spread through the layers of the stack until it causes code execution or data leakage. Docker released a correction included in the version 4.50.0, so updating to that version or above is the first measure that managers and developers should take.

The root of the problem was not a traditional runtime failure, but a contextual confidence problem between the IA assistant and the elements he used to reason. Ask Gordon reads metadata from the images to provide explanations, suggestions and commands. In the case of DockerDash, these metadata were not treated as catalog data but as instructions that the assistant could delegate to an intermediate layer called MCP Gateway (Model Context Protocol), which acts as a bridge between the language model and local tools. In the absence of rigorous verification of which metadata were merely informative and which could be executed, a malicious actor could insert "instructions" into a LABEL and get them to be executed later.

The attack described by the researchers takes place in a chain: first, an attacker builds and publishes a Docker image with modified LABEL fields to include harmful instructions; then, when a user consults Ask Gordon on that image, the assistant processes and resends the content to the MCP Gateway as if it were a legitimate request; finally, the Gateway invokes MCP tools that execute the actions with the privileges of the user's Docker environment. The result can be from remote execution of commands in cloud or CLI environments to internal information extraction in desktop facilities.

In addition to the possibility of execution, researchers showed how the same route could be used to collect sensitive details of the environment: container lists and configurations, mounted routes, installed tools and network topology. In Docker Desktop environments, where Ask Gordon works with theory-only reading permissions, these consultations can reveal a lot of useful data for an attacker in later phases of the attack.

The authors of the finding coined the term Meta-Context Injection to describe this kind of abuse: a classic bug is not exploited in memory or overflow, but the ability to insert malicious context that the system interprets as part of its operational reasoning. It is a modern variant of command injections, adapted to architectures that combine language models and external tools.

Docker and those responsible for the MCP protocol have already published corrections and recommendations, but beyond the immediate patch, the incident leaves relevant lessons. The first is that entries from "reliable" sources - for example, image repositories or metadata fields - should be treated with the same skepticism as any unknown user input. Implementing strict validations, minimum permit policies and metadata integrity controls is essential.

Another teaching is architectural: bridges between IA models and local resources (such as MCP Gateway) need more fine authentication and authorization mechanisms. In this case, the lack of distinction between information data and executable orders allowed the treatment chain to accept and spread malicious instruction without additional safety strings. Limit which tools can be invoked, require explicit user confirmations for sensitive actions and audit invocation are measures that reduce the attack surface.

If you want to go into the technical analysis you can read the Noma Labs report, which details the operating routes and the risk vectors: DockerDash Report - Noma Labs. It is also recommended to review Docker's documentation on Ask Gordon and the notes from the version that correct the problem: Ask Gordon - Docker and Notes to version 4.50.0. To better understand the overall risks of injections to IA attendees, OWASP maintains useful resources on this type of attack: OWASP - Prompt Injection Cheat Sheet.

In practice, before re-relying on an image or automated responses it is appropriate to apply several defenses: verify the origin of the images and prefer signatures and safe channel, scan artifacts for unusual content in metadata, minimize execution privileges for MCP tools and require additional controls when an action involves changes or access to sensitive data. These measures do not eliminate the risk completely, but significantly increase the cost to an attacker.

The DockerDash episode also shows an emerging risk: that of the IA supply chain. When models and attendees begin to automate decisions and invoke local capabilities, apparently benign inputs become attack vectors if they are not validated correctly. Treating contextual information as "trusted" without validation is a dangerous shortcut we must avoid if we want to deploy IA assistants in productive environments with safety.

If you manage Docker environments, the practical and urgent recommendation is simple: it updates the parched version and reviews the settings of Ask Gordon and MCP. In the medium term, it proposes zero confidence controls (zerotrust) for all data that feed IA agents and designs policies that limit the ability of those agents to implement actions automatically. Technology is moving fast and these lessons help us to keep it useful without jeopardizing infrastructure or data.