Security researchers at GitGuardian uncovered a critical path traversal vulnerability in Smithery.ai, a Model Context Protocol (MCP) server hosting platform. The flaw, stemming from improper validation of the `dockerBuildPath` parameter, allowed attackers to access arbitrary filesystem locations on Smithery’s build infrastructure. Exploiting this, attackers could exfiltrate sensitive files, including Docker authentication credentials stored in `.docker/config.json`, which were overprivileged and granted access to Smithery’s Docker registry and fly.io’s machines API.The compromise enabled arbitrary code execution on over 3,000 hosted MCP servers, exposing API keys, authentication tokens, and network traffic from thousands of clients. The centralized nature of Smithery.ai amplified the risk, creating a supply chain attack vector where a single breach could cascade across dependent organizations. While no evidence of malicious exploitation was found before patching, the incident highlighted severe risks in AI infrastructure security, particularly around static, long-term API keys and centralized hosting models. Smithery.ai remediated the issue within 48 hours of disclosure, but the vulnerability posed a high-risk scenario for large-scale data exposure and infrastructure takeover.
Source: https://cyberpress.org/mcp-server-vulnerability/
TPRM report: https://www.rankiteo.com/company/smithery-ai
"id": "smi3162131102325",
"linkid": "smithery-ai",
"type": "Vulnerability",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Thousands (via exposed API keys '
'and MCP server compromises)',
'industry': 'Artificial Intelligence / Cloud Hosting',
'name': 'Smithery.ai',
'type': 'AI Infrastructure Provider'},
{'industry': 'Cloud Computing',
'name': 'fly.io',
'type': 'Cloud Infrastructure Provider'},
{'name': 'Multiple organizations (via MCP server supply '
'chain)',
'type': ['AI Service Providers',
'API Consumers',
'Database Operators']}],
'attack_vector': 'Exploitation of improperly validated `dockerBuildPath` '
'parameter in Docker build process, leading to arbitrary '
'filesystem access and credential theft',
'data_breach': {'data_exfiltration': 'Demonstrated in proof-of-concept '
'(filesystem listings, credentials)',
'file_types_exposed': ['.docker/config.json',
'smithery.yaml',
'Dockerfiles',
'Network traffic dumps'],
'sensitivity_of_data': 'High (long-term static API keys, '
'infrastructure credentials)',
'type_of_data_compromised': ['API keys',
'Authentication tokens',
'Docker credentials',
'Filesystem metadata',
'Network traffic']},
'date_publicly_disclosed': '2025-06-13',
'date_resolved': '2025-06-15',
'description': 'Security researchers at GitGuardian uncovered a critical path '
'traversal vulnerability in Smithery.ai, a Model Context '
'Protocol (MCP) server hosting platform. The flaw, stemming '
'from improper validation of the `dockerBuildPath` parameter, '
'allowed attackers to access sensitive files on Smithery’s '
'build infrastructure, including Docker authentication '
'credentials. These overprivileged credentials granted access '
'to Smithery’s Docker registry and fly.io’s machines API, '
'enabling arbitrary code execution on over 3,000 hosted MCP '
'servers. The vulnerability exposed API keys and '
'authentication tokens from thousands of clients, posing a '
'significant supply chain risk. GitGuardian disclosed the '
'issue on June 13, 2025, and Smithery remediated it within 48 '
'hours. No evidence of prior exploitation was found.',
'impact': {'brand_reputation_impact': 'High (due to supply chain risk '
'exposure and centralized AI '
'infrastructure vulnerability)',
'data_compromised': ['API keys',
'Authentication tokens',
'Docker credentials (.docker/config.json)',
'Filesystem listings',
'Network traffic (including client API keys)'],
'operational_impact': 'Potential arbitrary code execution on all '
'hosted MCP servers; risk of cascading '
'breaches across dependent organizations',
'systems_affected': '3,000+ hosted MCP servers and portions of '
'Smithery.ai’s infrastructure'},
'initial_access_broker': {'entry_point': 'Malicious `smithery.yaml` '
'configuration with crafted '
'`dockerBuildPath` parameter',
'high_value_targets': ['.docker/config.json',
'fly.io machines API',
'MCP server network '
'traffic']},
'investigation_status': 'Completed (no evidence of pre-patch exploitation '
'found)',
'lessons_learned': ['Centralized AI hosting platforms create single points of '
'failure with amplified supply chain risks',
'Improper input validation in build processes can lead to '
'critical path traversal vulnerabilities',
'Overprivileged credentials in CI/CD pipelines '
'significantly increase attack surface',
'Static, long-term API keys lack granular privilege '
'management compared to OAuth tokens',
'Rapid disclosure and patching can mitigate exploitation '
'before malicious actors discover vulnerabilities'],
'post_incident_analysis': {'corrective_actions': ['Patched path traversal '
'vulnerability in build '
'process',
'Rotated compromised '
'credentials',
'Enhanced validation for '
'Docker build contexts'],
'root_causes': ['Lack of input validation for '
'`dockerBuildPath` parameter',
'Overprivileged Docker credentials '
'with access to fly.io API',
'Use of static API keys without '
'rotation or granular controls',
'Centralized architecture creating '
'single point of failure']},
'recommendations': ['Enforce strict validation of build context paths in '
'Docker configurations',
'Implement least-privilege principles for CI/CD '
'credentials and infrastructure access',
'Replace static API keys with short-lived OAuth tokens '
'where possible',
'Conduct regular security audits of centralized AI/ML '
'infrastructure',
'Monitor for anomalous filesystem access patterns in '
'build environments',
'Segment build infrastructure to limit lateral movement '
'in case of compromise'],
'references': [{'source': 'GitGuardian Research Blog'},
{'source': 'Gaetan Ferry (Security Researcher)'}],
'response': {'containment_measures': ['Partial fix deployed within 24 hours',
'Compromised credentials rotated'],
'incident_response_plan_activated': 'Yes (within 24 hours of '
'disclosure)',
'remediation_measures': ['Complete patch implemented by June 15, '
'2025',
'Docker build context validation '
'enforced'],
'third_party_assistance': ['GitGuardian (disclosure and '
'coordination)']},
'title': 'Critical Path Traversal Vulnerability in Smithery.ai Exposes 3,000+ '
'AI Servers and API Keys',
'type': ['Supply Chain Attack',
'Path Traversal Vulnerability',
'Credential Compromise',
'Unauthorized Access'],
'vulnerability_exploited': 'CWE-22: Path Traversal in Docker build context '
'configuration (smithery.yaml)'}