We use cookies to improve your experience on our site.
AVID-2026-R1707
Description
ToolHive stores secrets in the state store with no encryption (CVE-2025-47274)
Details
ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the ordering of code used to start an MCP server container, versions of ToolHive prior to 0.0.33 inadvertently store secrets in the run config files which are used to restart stopped containers. This means that an attacker who has access to the home folder of the user who starts the MCP server can read secrets without needing access to the secrets store itself. This only applies to secrets which were used in containers whose run configs exist at a point in time - other secrets remaining inaccessible. ToolHive 0.0.33 fixes the issue. Some workarounds are available. Stop and delete any running MCP servers, or manually remove any runconfigs from $HOME/Library/Application Support/toolhive/runconfigs/ (macOS) or $HOME/.state/toolhive/runconfigs/ (Linux).
Reason for inclusion in AVID: CVE-2025-47274 describes insecure storage of secrets in ToolHive run configs used by MCP server deployment. It targets a deployment/management tool used in AI model serving pipelines, exposing sensitive data and enabling exfiltration. This affects software in the AI stack (deployment tooling) and relates to the software supply chain (dependencies and runtimes for deploying AI systems). The vulnerability is CVE-style with clear remediation and affected versions, supported by references. Therefore it satisfies AI relevance, GP AI supply chain scope, security vulnerability, and sufficiency of evidence.
References
- NVD entry
- https://github.com/stacklok/toolhive/security/advisories/GHSA-xj5p-w2v5-fjm6
- https://github.com/stacklok/toolhive/commit/e8efa1b1d7b0776a39339257d30bf6c4a171f2b8
- https://github.com/stacklok/toolhive/releases/tag/v0.0.33
Affected or Relevant Artifacts
- Developer: stacklok
- Deployer: stacklok
- Artifact Details:
| Type | Name |
|---|---|
| System | toolhive |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-311 | CWE-311: Missing Encryption of Sensitive Data |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-05-12
- Version: 0.3.3
- AVID Entry