What happened
GitGuardian researchers submitted a build request with a path traversal payload in the dockerBuildPath parameter, reading environment files from the build context and extracting the platform's Fly.io API token.
2025-06-13
CriticalPrimarySmithery MCP Hosting Platform: Unvalidated dockerBuildPath Parameter Enabled Directory Traversal Exposing Fly.io Token Controlling 3,000+ MCP Server Apps
Smithery's MCP hosting platform failed to validate the dockerBuildPath parameter, enabling directory traversal during Docker image builds. This exposed an overprivileged Fly.io API token controlling 3,000+ deployed MCP server applications. Reported by GitGuardian. Fixed in 48 hours.
Smithery MCP HostingCredential exposureDirectory traversal during build: credential exposureSmithery MCP hosting platform / 3,000+ deployed MCP server apps
Why it matters
The Fly.io API token with control over 3,000+ deployed MCP server applications was exposed. An attacker could have modified, replaced, or taken down MCP servers used by thousands of developers — or used the hosting platform as a vector to push malicious code to all deployed MCP servers.
Missing authorization check
User-controlled build paths must be validated and restricted to the project directory before use. Build environments must not contain credentials with broad production authority; the principle of least privilege requires scoped per-project tokens.
Would PP block it?
If MCP server deployments and Fly.io API operations required PP receipts, an attacker using the stolen token would face a receipt requirement before modifying deployed servers. The underlying path traversal requires input validation at the build parameter level.
Incident analysis
Timeline and technical read
Timeline
2025-06-13
GitGuardian discovers dockerBuildPath path traversal in Smithery's MCP hosting platform. Vulnerability could expose the platform's Fly.io API token controlling 3,000+ MCP server apps.
2025-06-15
Smithery fixes the path traversal vulnerability within 48 hours of disclosure. Build path validation implemented.
Technical breakdown
- The dockerBuildPath parameter was passed directly to Docker build operations without path normalization or confinement to the project directory.
- Path traversal sequences (../../) in the parameter allowed reading files outside the intended build context.
- The build environment contained a shared Fly.io API token with broad authority over all 3,000+ MCP servers hosted on the platform.
- A single path traversal in one build request was sufficient to extract the platform-wide infrastructure credential.
Authorization boundary
Where the authorization boundary should have been
This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
- If enforced at
- Build parameter validation, credential access gate, infrastructure change authorization
- Still needs
- Unvalidated user-supplied build paths; overprivileged shared infrastructure credentials
- Receipt required for
- MCP server deployments, Fly.io infrastructure changes, build environment credential access
PP's Credential Gate would require authorization receipts for credential access and production infrastructure changes. It would not prevent the path traversal during the build — that requires input validation in the build pipeline.
Related incidents and controls
Critical2025-09-29
First Documented Malicious MCP Server: Fake postmark-mcp npm Package Silently BCC'd 3,000–15,000 Corporate Emails Per Day to Attacker Domain
Critical2026-02-05
ClawHavoc: 1,184 Malicious Skills Uploaded to OpenClaw ClawHub Marketplace Delivering Atomic Stealer Targeting API Keys, SSH Creds, and Browser Passwords
Start small
Put the relevant gate at this action boundary.
This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.