A significant security flaw has been identified in Smithery.ai, a widely-used registry for Model Context Protocol (MCP) servers. This vulnerability potentially allowed unauthorized access to more than 3,000 AI servers and the extraction of thousands of API keys from various services.
Understanding MCP and Its Role in AI Applications
The Model Context Protocol (MCP) is integral to AI applications, facilitating their connection to external tools and data sources, such as local filesystems or remote databases. MCP servers can be deployed locally or remotely, with remote servers often being self-hosted or managed by third-party providers.
Smithery.ai’s Deployment Model and Associated Risks
Smithery.ai offers a hybrid deployment model that simplifies the process by hosting user-submitted servers on its infrastructure. These servers are constructed from GitHub repositories into Docker images. While this approach enhances convenience, it also introduces significant risks. A single security breach within this centralized system could have cascading effects across the entire ecosystem of AI tools.
Details of the Vulnerability
The core of the vulnerability lies in the build process of Smithery.ai. Users submit a `smithery.yaml` file that specifies the Docker build context through the `dockerBuildPath` parameter. Ideally, this path should point within the repository. However, the system lacked proper validation of these inputs, making it susceptible to path traversal attacks.
By setting the `dockerBuildPath` to `..`, attackers could reference directories outside the intended repository, potentially accessing sensitive files on the builder machine. This oversight exposed critical files to malicious Dockerfiles.
Exploitation Demonstrated by GitGuardian
Security researchers at GitGuardian demonstrated the exploitation of this vulnerability by creating a repository named test containing a manipulated `smithery.yaml` and Dockerfile. The Dockerfile utilized `curl` to exfiltrate the directory structure to an attacker-controlled server, revealing sensitive files such as `.docker/config.json`.
This particular file contained an overprivileged authentication token for Fly.io, intended for Docker registry access but inadvertently granting broader machine API privileges. Fly.io, which powers Smithery’s hosting through virtualized containers, had an organization with 3,243 applications, predominantly MCP servers, along with service infrastructure.
With access to this token, attackers could:
– Query applications.
– Execute code on machines (confirming root access via commands like `id`).
– Monitor network traffic.
Potential for Widespread Data Exposure
By intercepting HTTP requests to a compromised server, attackers could capture client-sent API keys. For instance, a Brave API key was found in query parameters. Scaling this attack could lead to the harvesting of secrets from thousands of clients connecting to services via MCP servers.
Implications for AI Ecosystem Security
This incident underscores the vulnerabilities inherent in centralized AI hosting platforms. MCP servers often rely on static API keys instead of more secure OAuth mechanisms, simplifying attacks and complicating privilege management. This situation mirrors previous breaches, such as the Salesloft OAuth abuse, where a single flaw enabled extensive lateral movement across trusted systems.
Response and Mitigation Measures
Upon disclosure of the vulnerability on June 13, 2025, Smithery.ai acted promptly, implementing a fix for the path traversal issue by June 15, 2025. The company also rotated keys and enhanced the security of their build processes. As AI ecosystems continue to expand, it is imperative for platforms to prioritize isolation and robust security measures to protect developers and users from widespread threats.
