CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

DockerDash Vulnerability in Docker's Ask Gordon AI Assistant

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A critical security flaw, dubbed DockerDash, has been disclosed in Docker's Ask Gordon AI assistant. The vulnerability allows attackers to execute arbitrary commands or exfiltrate data by manipulating metadata in Docker images. The flaw stems from the lack of validation in the Model Context Protocol (MCP) gateway, enabling attackers to bypass security boundaries without traditional software bugs. The issue affects both cloud CLI environments and Docker Desktop, with different impacts depending on the deployment. Docker has released patches and mitigation strategies to address the vulnerability. The vulnerability involves a three-stage attack where malicious metadata in Docker images is interpreted and executed by the MCP Gateway without validation. The attack chain involves publishing a malicious Docker image, querying Ask Gordon AI, forwarding instructions to the MCP Gateway, and executing commands with the victim's Docker privileges. The data exfiltration vulnerability in Docker Desktop allows capturing sensitive internal data about the victim's environment using MCP tools. Ask Gordon version 4.50.0 also resolves a prompt injection vulnerability discovered by Pillar Security.

Timeline

  1. 03.02.2026 17:15 2 articles · 10h ago

    DockerDash Vulnerability Disclosed and Patched

    Noma Labs disclosed the DockerDash vulnerability in Docker's Ask Gordon AI assistant on February 3, 2026. The flaw, which allows attackers to execute arbitrary commands or exfiltrate data by manipulating metadata in Docker images, was reported to Docker on September 17, 2025. Docker confirmed the vulnerability on October 13, 2025, and released patches in Docker Desktop version 4.50.0 on November 6, 2025. The patches include blocking the rendering of user-provided image URLs and requiring explicit user confirmation before invoking MCP tools. The vulnerability involves a three-stage attack where malicious metadata in Docker images is interpreted and executed by the MCP Gateway without validation. The attack chain involves publishing a malicious Docker image, querying Ask Gordon AI, forwarding instructions to the MCP Gateway, and executing commands with the victim's Docker privileges. The data exfiltration vulnerability in Docker Desktop allows capturing sensitive internal data about the victim's environment using MCP tools.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

Three vulnerabilities in the mcp-server-git, maintained by Anthropic, allow file access, deletion, and code execution via prompt injection. The flaws have been addressed in versions 2025.9.25 and 2025.12.18. The vulnerabilities include path traversal and argument injection issues that can be exploited to manipulate Git repositories and execute arbitrary code. The issues were disclosed by Cyata researcher Yarden Porat, highlighting the risks of prompt injection attacks without direct system access. The vulnerabilities affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations. An attacker only needs to influence what an AI assistant reads to trigger the vulnerabilities. The flaws allow attackers to execute code, delete arbitrary files, and load arbitrary files into a large language model's context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks. The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145.

Open in new tab

Command Injection Vulnerability in Figma MCP

A command injection vulnerability (CVE-2025-53967) in the Figma MCP server allows remote code execution. The flaw, stemming from unsanitized user input, was patched in version 0.6.3. The issue affects developers using AI-powered coding agents like Cursor. The vulnerability could be exploited by attackers on the same network or via DNS rebinding attacks. It was discovered by Imperva in July 2025 and was addressed in the latest release. The flaw resides in the 'src/utils/fetch-with-retry.ts' file, where the curl command is constructed using shell command strings, enabling potential remote code execution. The patch replaces 'child_process.exec()' with 'child_process.execFile()' and implements proper input validation. Users should upgrade to Figma MCP version 0.6.3 or higher, audit systems using vulnerable versions, and review logs for suspicious command execution patterns. There are over 15,000 MCP servers in the world, with many misconfigured and lacking authentication or access controls.

Open in new tab