A significant vulnerability in Smithery.ai, an esteemed registry for Model Context Protocol (MCP) servers, has emerged. This flaw could potentially enable adversaries to purloin assets from over 3,000 AI servers and gain access to API keys from countless users across diverse platforms.
The MCP framework empowers artificial intelligence applications by facilitating connections to external resources such as local file systems and remote databases. These servers are categorized into local and remote types, with the latter often being either self-hosted or entirely managed by third-party providers.
As reported by GitGuardian, the hybrid infrastructure of Smithery.ai streamlines deployment by hosting user-submitted servers on its own systems, which are generated from GitHub repositories into Docker images. However, this ease of use heightens risk; a single breach can reverberate throughout an entire ecosystem of AI tools.
Exploiting a Simple Configuration Vulnerability
The vulnerability originated from insufficient controls within Smithery’s build process. Users are required to submit a smithery.yaml file that designates the Docker build context via dockerBuildPath. While legitimate setups typically reference paths within the repository, the system lacked input validation, opening the door to path traversal attacks.
By manipulating dockerBuildPath to point at “..”, attackers could access the builder machine’s home directory beyond the repository, thereby exposing sensitive files to a malevolent Dockerfile.
During testing, GitGuardian crafted a repository called “test” featuring a modified YAML file and Dockerfile. The latter utilized curl to exfiltrate the directory structure to a site controlled by attackers, revealing files such as .docker/config.json.
This particular file contained an overly permissive authentication token for Fly.io, originally intended for Docker registry access, thereby granting broader API privileges across machines.
Utilized by Smithery for hosting with virtualized containers, the token provided access to an organization with 3,243 applications, predominantly MCP servers, along with associated service infrastructure.
With the token in hand, adversaries could query applications, execute code on machines (confirming root access through the id command), and even intercept network traffic. Compromised Server key
Moreover, capturing HTTP requests directed to the compromised server unveiled client-sent API keys, including a Brave key embedded in the query parameters. If scaled, this vulnerability could lead to the wholesale collection of secrets from numerous clients interfacing with services via MCP servers, as indicated by GitGuardian.
This incident elucidates the perilous nature of supply-chain vulnerabilities within centralized AI hosting frameworks. MCP servers frequently depend on static API keys rather than OAuth protocols, thereby facilitating attacks while complicating the management of privilege limitations.
Resonating with incidents such as Salesloft’s OAuth abuses, this scenario highlights how a singular flaw can facilitate lateral movement across trust boundaries.
Smithery addressed the traversal issue on June 15, 2025, following its disclosure on June 13, by rotating keys and tightening build protocols. As AI ecosystems continue to expand, it is imperative that such platforms prioritize isolation measures to protect developers from pervasive threats.
Source link: Cybersecuritynews.com.
