InfoSecBulletin Cybersecurity for mankind
A critical vulnerability was discovered in Smithery.ai, a well-known registry for Model Context Protocol (MCP) servers. This flaw could have let hackers steal data from over 3,000 AI servers and access API keys of thousands of users.
MCP connects AI apps to external tools and data, such as local files or remote databases. Servers can be either local or remote, with remote options often being self-hosted or fully managed.
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
GitGuardian reports that Smithery.ai’s hybrid model streamlines deployment by using user-submitted servers built from GitHub repos into Docker images. However, this ease of use increases risks; a single breach could affect the entire ecosystem of AI tools.
Exploiting a Simple Configuration Vulnerability:
The flaw was due to weak controls in Smithery’s build process. Users submit a smithery.yaml file, specifying the Docker build context with dockerBuildPath. While proper setups point within the repo, the system failed to validate inputs, allowing for path traversal attacks.
By setting dockerBuildPath to “..”, attackers could reference the builder machine’s home directory outside the repo, exposing sensitive files to a malicious Dockerfile.
In testing, GitGuardian crafted a repo named “test” with a rigged yaml and Dockerfile. The latter used curl to exfiltrate the directory tree to an attacker-controlled site, revealing files like .docker/config.json.
The file contained a fly.io authentication token with too many privileges, intended for Docker registry access but also allowed broader machine API access.
Fly.io hosts Smithery with virtual containers, and the token enabled an organization with 3,243 apps, primarily MCP servers, along with its service infrastructure.
With the token, attackers could query apps, execute code on machines (confirming root access via “id” command), and even sniff network traffic. Compromised servers captured HTTP requests, revealing client API keys like a Brave key in query parameters. If scaled, this could expose secrets from many clients using MCP servers, as reported by GitGuardian.
The incident shows risks in centralized AI hosting. MCP servers use static API keys instead of OAuth, making them easier targets for attacks but complicating privilege management. Salesloft’s OAuth abuse highlights how a single flaw can allow lateral movement across various trust boundaries.
Smithery fixed the traversal on June 15, 2025, after the June 13 disclosure, by rotating keys and tightening builds. As AI ecosystems expand, platforms need to focus on isolation to protect developers from widespread threats.
