Overview
- Ask Gordon interpreted malicious LABEL fields in Docker images as instructions, passed them to the MCP Gateway, and executed them via MCP tools with no validation.
- The attack yields remote code execution in cloud and CLI deployments, while Docker Desktop exposures center on large‑scale data exfiltration due to read‑only permissions.
- Noma Labs identifies the root cause as meta‑context injection, where the system fails to distinguish descriptive metadata from pre‑authorized runnable commands.
- Docker’s November 2025 release added safeguards that stop rendering user‑provided image URLs and require explicit user confirmation before any MCP tool runs.
- The issue was reported on September 17, 2025, confirmed on October 13, and patched on November 6, with public disclosure on February 3, 2026; the same release also fixed a related prompt‑injection vector reported by Pillar Security.