AI/ML, Cloud Security, Data Security, Supply chain, AI benefits/risks, Exposure management, Application security

Smithery.ai fixes path traversal flaw that exposed 3,000 MCP servers

Smithery.ai fixed a flaw earlier this year that exposed thousands of model context protocol (MCP) servers hosted by the service to potential attack, GitGuardian revealed Wednesday.  

The path traversal flaw enabled GitGuardian researchers to access sensitive files from Smithery’s environment by setting up an MCP server with a malicious configuration file.

When MCP servers are submitted to Smithery’s registry, the server owner creates a GitHub repository containing the necessary code and resources, including a Docker build configuration file smithery.yaml.

GitGuardian found that the build process would accept any value for the “dockerBuildPath” property found in this file, including locations outside of the server’s own repository. The researchers set the Docker build path to “..” and uploaded a malicious Dockerfile that would exfiltrate a list of available files at that path to an external URL.

This caused a list of files from the builder machine’s home directory to be exposed at build time, including the sensitive .docker/config.json file. By targeting this file in a second build process, they exposed its contents and recovered a fly.io authentication token.

The researchers found that this fly.io token gave them access to both a fly.io Docker container registry controlled by Smithery and the ability to use fly.io’s machines API to control any of the apps hosted on Smithery’s fly.io account. They discovered more than 3,000 apps hosted on the account, most of which corresponded to MCP servers.

GitGuardian reported these findings to Smithery on June 13, 2025, and Smithery rotated the exposed token and fixed the path traversal flaw by June 15, 2025. There is no indication the flaw was ever exploited by malicious actors in the wild.

The researchers noted that this incident highlights potential supply chain risks organizations should consider when determining how to host remote MCP servers. The extensive privileges granted by the single authentication token extracted by the researchers also raises concerns about the use of over-privileged, long-term credentials to control these servers.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BitBrowserBusiness Email Compromise (BEC)ChecksumCipherCiphertextCovert ChannelsDomain HijackingDrive-by DownloadGreynet

You can skip this ad in 5 seconds