MCPSafe.io
RegistryThreatsMethodologyDocsPricingScanSign in
MCPSafe.io

Security checks for MCP servers — public packages and private repos, fast or deep.

Legal

Privacy PolicyCookie PolicyTerms of ServiceSecurity disclosure

Resources

State of MCP SecuritySupportSystem statusMade in Germany 🇩🇪

© 2026 MCPSafe. All rights reserved.

GDPR — Privacy Policy
← Threat Catalog

Configuration & Environment

Insecure container image / build

HIGHAIVSS 7.0CWE: CWE-732OWASP: LLM03Agentic: T03Rule: MCP-073

Dockerfiles that run as root, pull unpinned base images, fetch scripts over plain HTTP, or `curl | sh` at build time — every one of which extends the attack surface from the MCP server to the host kernel.

What it is

Containers are not a security boundary when the container is root and the base image is `:latest`. The canonical mistakes are (1) no `USER` directive, so the default is root; (2) `FROM python:latest` so today's image is not tomorrow's; (3) `ADD http://...` which silently follows redirects and does not verify TLS certs for some clients; (4) `RUN curl https://... | sh` which inlines a remote shell script into the build; (5) missing `--no-install-recommends` bloating the image and thus the attack surface.

Why it matters for MCP

An MCP server distributed as a Docker image is often run with `--network host` or with volume mounts into the user's home directory. A container image that runs as root gives any in-container RCE direct access to those mounts. Build-time `curl | sh` also means the image contents depend on what the remote URL served at build time — two builds of the same Dockerfile can produce meaningfully different artifacts.

Vulnerable example

example.js
1
FROM python:latest                          # unpinned tag
2
RUN curl -fsSL https://get.example.io/setup | sh   # pipe-to-shell
3
ADD http://releases.example.com/tool.tgz /opt/    # plaintext fetch
4
RUN pip install -r requirements.txt               # no --no-cache-dir
5
COPY . /app
6
WORKDIR /app
7
# No USER directive — container runs as root
8
CMD ["python", "server.py"]

Secure example

example.js
1
FROM python:3.12.4-slim-bookworm@sha256:abc123...    # pinned by digest
2
RUN apt-get update \
3
 && apt-get install -y --no-install-recommends ca-certificates \
4
 && rm -rf /var/lib/apt/lists/*
5
6
WORKDIR /app
7
COPY requirements.txt .
8
RUN pip install --no-cache-dir -r requirements.txt
9
10
COPY . .
11
12
RUN useradd --system --uid 10001 mcp
13
USER mcp
14
CMD ["python", "server.py"]
How MCPSafe detects this
We parse Dockerfiles, flag `FROM ...:latest` or tagless bases, missing or root `USER`, `ADD http://` (plaintext) and `ADD https://` without a checksum, `curl ... | sh` / `wget ... | bash` patterns, `apt-get install` without `--no-install-recommends`, and pip/npm installs that omit the cache-disable flag.
See the full threat catalog for every documented detection.
Framework alignment
OWASP LLM Top-10 (2025)
LLM03 — Supply Chain
OWASP Agentic AI Top-10
T03 — Privilege Compromise
AIVSS v0.5
7.0 (HIGH)AIVSS:1.0/S:HIGH/AV:L/AU:L/BR:H/CD:D
Further reading
  • CWE-732: Incorrect Permission Assignment for Critical Resource
  • Docker: Dockerfile best practices
  • CIS Docker Benchmark
Scan an MCP server for this issue
MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.
Scan now