CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

DockerDash Vulnerability in Docker's Ask Gordon AI Assistant

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A critical security flaw, dubbed DockerDash, has been disclosed in Docker's Ask Gordon AI assistant. The vulnerability allows attackers to execute arbitrary commands or exfiltrate data by manipulating metadata in Docker images. The flaw stems from the lack of validation in the Model Context Protocol (MCP) gateway, enabling attackers to bypass security boundaries without traditional software bugs. The issue affects both cloud CLI environments and Docker Desktop, with different impacts depending on the deployment. Docker has released patches and mitigation strategies to address the vulnerability. The vulnerability involves a three-stage attack where malicious metadata in Docker images is interpreted and executed by the MCP Gateway without validation. The attack chain involves publishing a malicious Docker image, querying Ask Gordon AI, forwarding instructions to the MCP Gateway, and executing commands with the victim's Docker privileges. The data exfiltration vulnerability in Docker Desktop allows capturing sensitive internal data about the victim's environment using MCP tools. Ask Gordon version 4.50.0 also resolves a prompt injection vulnerability discovered by Pillar Security.

Timeline

  1. 03.02.2026 17:15 3 articles · 1d ago

    DockerDash Vulnerability Disclosed and Patched

    Noma Labs disclosed the DockerDash vulnerability in Docker's Ask Gordon AI assistant on February 3, 2026. The flaw, which allows attackers to execute arbitrary commands or exfiltrate data by manipulating metadata in Docker images, was reported to Docker on September 17, 2025. Docker confirmed the vulnerability on October 13, 2025, and released patches in Docker Desktop version 4.50.0 on November 6, 2025. The patches include blocking the rendering of user-provided image URLs and requiring explicit user confirmation before invoking MCP tools. The vulnerability involves a three-stage attack where malicious metadata in Docker images is interpreted and executed by the MCP Gateway without validation. The attack chain involves publishing a malicious Docker image, querying Ask Gordon AI, forwarding instructions to the MCP Gateway, and executing commands with the victim's Docker privileges. The data exfiltration vulnerability in Docker Desktop allows capturing sensitive internal data about the victim's environment using MCP tools. The vulnerability is characterized as a case of meta-context injection, where the MCP Gateway cannot distinguish between informational metadata and executable instructions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

Three vulnerabilities in the mcp-server-git, maintained by Anthropic, allow file access, deletion, and code execution via prompt injection. The flaws have been addressed in versions 2025.9.25 and 2025.12.18. The vulnerabilities include path traversal and argument injection issues that can be exploited to manipulate Git repositories and execute arbitrary code. The issues were disclosed by Cyata researcher Yarden Porat, highlighting the risks of prompt injection attacks without direct system access. The vulnerabilities affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations. An attacker only needs to influence what an AI assistant reads to trigger the vulnerabilities. The flaws allow attackers to execute code, delete arbitrary files, and load arbitrary files into a large language model's context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks. The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145.

Open in new tab

Critical runC vulnerabilities enable container escape to host system

Three critical vulnerabilities in runC, a container runtime used by Docker and Kubernetes, could allow attackers to escape container isolation and gain root access to the host system. The flaws, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, were disclosed by SUSE engineer Aleksa Sarai. Exploiting these vulnerabilities requires the ability to start containers with custom mount configurations, which can be achieved through malicious container images or Dockerfiles. The vulnerabilities affect all versions of runC, with fixes available in versions 1.2.8, 1.3.3, 1.4.0-rc.3, and later. No active exploits have been reported, but researchers at Sysdig have provided detection and mitigation strategies.

Open in new tab

Command Injection Vulnerability in Figma MCP

A command injection vulnerability (CVE-2025-53967) in the Figma MCP server allows remote code execution. The flaw, stemming from unsanitized user input, was patched in version 0.6.3. The issue affects developers using AI-powered coding agents like Cursor. The vulnerability could be exploited by attackers on the same network or via DNS rebinding attacks. It was discovered by Imperva in July 2025 and was addressed in the latest release. The flaw resides in the 'src/utils/fetch-with-retry.ts' file, where the curl command is constructed using shell command strings, enabling potential remote code execution. The patch replaces 'child_process.exec()' with 'child_process.execFile()' and implements proper input validation. Users should upgrade to Figma MCP version 0.6.3 or higher, audit systems using vulnerable versions, and review logs for suspicious command execution patterns. There are over 15,000 MCP servers in the world, with many misconfigured and lacking authentication or access controls.

Open in new tab

Misconfigured Docker APIs Exploited in TOR-Based Cryptojacking Campaign

A new variant of a TOR-based cryptojacking campaign targets exposed Docker APIs. The attack involves executing a new container based on the Alpine Docker image and mounting the host file system. The attackers then run a Base64-encoded payload to download a shell script downloader from a .onion domain. The script installs tools for reconnaissance and communication with a command-and-control (C2) server. The campaign may aim to establish a complex botnet. The attack chain includes exploiting additional ports (23, 9222) and using known default credentials for brute-forcing logins. The malware scans for open Docker API services at port 2375 and propagates the infection to those machines. The attackers block external access to port 2375 using available firewall utilities and install persistent SSH access. The malware includes dormant logic for future expansion opportunities for credential theft, browser session hijacking, remote file download, and distributed denial-of-service (DDoS) attacks. The campaign highlights the importance of securing Docker APIs and limiting exposure of services to the internet.

Open in new tab

Critical Docker Desktop SSRF Vulnerability Exploitable via Malicious Containers

A critical server-side request forgery (SSRF) vulnerability in Docker Desktop for Windows and macOS allows attackers to compromise the host system by running a malicious container. The flaw, identified as CVE-2025-9074, enables unauthorized access to user files on the host system, even with Enhanced Container Isolation (ECI) protection enabled. The vulnerability allows attackers to mount the host's file system and modify it to escalate privileges to those of an administrator. The vulnerability was discovered by security researcher Felix Boulet, who demonstrated a proof-of-concept (PoC) exploit that does not require code execution rights inside the container. The flaw affects Docker Desktop versions for Windows and macOS but not the Linux version. The issue was responsibly disclosed to Docker, which released a patch in version 4.44.3. The vulnerability can be exploited via a server-side request forgery (SSRF) flaw, allowing an attacker to proxy requests through the vulnerable application and reach the Docker socket. This vulnerability allows unauthorized access to user files on the host system and can be leveraged to gain full control of the Docker application and containers.

Open in new tab