Docker AI Vulnerability Allows Image Metadata to Initiate Attacks

Security researchers have uncovered a significant vulnerability in Docker’s Ask Gordon AI assistant, enabling attackers to execute nefarious commands embedded within the platform’s image metadata.

This exploit, identified as DockerDash, leverages a gap in Docker’s AI execution pipeline. Here, malicious directives hidden in image metadata labels are processed by the Gordon AI assistant without any validation, allowing for command execution through model context protocol tools, according to findings from Noma Labs. The consequences of this vulnerability include remote code execution on cloud services and data exfiltration from desktop applications, contingent on user permissions.

Noma Labs first alerted Docker to this threat on September 17. The company acknowledged the issue on October 13 and responded with mitigations within Docker Desktop version 4.50.0 on November 6. However, details of the vulnerability were disclosed publicly several months later. The attack employs what Noma Labs calls meta-context injection, which allows attackers to craft Docker images with harmful commands concealed in seemingly standard metadata.

In instances of remote code execution, an attacker can publish a Docker image that carries a malicious label instructing it to stop running containers. When users query Ask Gordon about this image, the AI interprets these embedded commands as legitimate user requests and forwards them to execute, utilizing the victim’s permissions.

Conversely, in data exfiltration scenarios typically targeting Docker Desktop, Ask Gordon operates under read-only permissions to prevent direct command execution. However, it is still possible for attackers to command the AI to gather system data, such as installed tools and network configurations, and transfer this information to attacker-controlled servers.

The fundamental challenge is that the AI framework struggles to differentiate between benign context and malicious instructions, as stated by Gal Moyal, CTO at Noma Security. The inherent difficulty lies in the fact that language models treat all loaded context—whether trustworthy or not—identically, which can permit an exploitation path that traditional security protocols fail to identify.

David Brumley, Chief AI and Science Officer at Bugcrowd, commented that DockerDash exemplifies a growing trend of oversight in developing AI products, specifically concerning prompt injection vulnerabilities. As AI technologies continue to evolve, so too do their attack surfaces. Similarly, Ronald Lewis from Black Duck emphasized that AI systems present unique vulnerabilities that diverge markedly from conventional software, necessitating a re-evaluation of how security measures are perceived and enforced.

To mitigate the risk associated with this vulnerability, Docker has implemented several measures, including restricting Ask Gordon from displaying images linked to user-provided URLs and requiring explicit user consent before executing any MCP tools. These steps aim to sever the automated execution chain exploited by the DockerDash threat.

As cyber threats become increasingly sophisticated, organizations are advised to upgrade to Docker Desktop version 4.50.0 or later immediately to counter the vulnerabilities disclosed in recent findings. Future defenses against similar attacks will likely require a multifaceted approach focused on both technology and human oversight.