From Path Traversal to Supply Chain Attack: Breaking Smithery MCP Server Hosting (blog.gitguardian.com)

Researchers found a critical configuration vulnerability in Smithery.ai’s MCP server hosting that allowed attackers to read arbitrary files on the build host and escalate into a supply-chain compromise. By submitting a malicious smithery.yaml with a crafted dockerBuildPath (e.g., "..") and an attacker-controlled Dockerfile, the registry copied an attacker-chosen filesystem subtree into the Docker build context. The Dockerfile then exfiltrated files (via curl), revealing a .docker/config.json that contained a fly.io token. That token was overprivileged: it granted access to fly.io’s machines API and the Docker registry, enabling the researchers to enumerate ~3,243 apps and execute arbitrary commands as root on hosted MCP servers and parts of Smithery’s infrastructure. The issue was responsibly disclosed and patched; no active exploitation was found. Significance for AI/ML: MCP-hosted servers are high-value central points in AI toolchains because they often hold secrets (API keys, database credentials) and return content directly fed into LLMs. Compromise enables large-scale credential theft, arbitrary code execution in thousands of servers, and prompt-injection or data-exfiltration attacks across many customers and services. Key technical takeaways: untrusted build inputs (dockerBuildPath) leading to path-traversal, excessive token privileges (no separation between registry and machine API), and the need for stricter build isolation, least-privilege tokens, config validation, and threat modeling for centralized MCP hosting.