Configuration & Environment

Container Runs as Root

MEDIUMCWE: CWE-250Rule: MCP-208

A Dockerfile that never sets a non-root USER directive causes all container processes, including MCP server code, to execute as UID 0, turning any code execution vulnerability into a full container compromise.

What it is

Running a container without a USER directive leaves the default user as root (UID 0), the most privileged account in a Linux namespace. Any exploitable bug in application code, a dependency, or the MCP server runtime itself then executes with unrestricted access to the container filesystem, network stack, and any mounted host volumes. Docker's CWE-250 classification reflects that excess privilege is granted by omission rather than intent.

Why it matters for MCP

MCP servers are designed to execute arbitrary tool calls driven by LLM-generated inputs, making them a high-value target for prompt injection payloads that smuggle shell commands or path traversal sequences into tool arguments. Because MCP tools frequently perform filesystem reads, subprocess spawns, and network requests on behalf of an AI agent, a single exploited tool running as root can exfiltrate secrets, overwrite server binaries, or escape to the host via a container breakout — escalation paths that a non-root UID would block by default.

Vulnerable example

example.py

# Dockerfile (vulnerable)
FROM python:3.12-slim
RUN pip install fastmcp
COPY . /app
WORKDIR /app
# No USER directive — process runs as root
CMD ["python3", "server.py"]

Secure example

example.py

# Dockerfile (secure)
FROM python:3.12-slim
RUN pip install fastmcp \
 && groupadd -r mcp \
 && useradd -r -g mcp -u 1000 mcp
COPY --chown=mcp:mcp . /app
WORKDIR /app
USER 1000
CMD ["python3", "server.py"]

How MCPSafe detects this

MCPSafe parses every stage of the Dockerfile AST and tracks whether a USER instruction with a non-root principal appears between the final FROM and the terminal CMD or ENTRYPOINT. The rule triggers when no USER is present at all, or when the only USER directives resolve to root (literal strings 'root' or '0', or numeric UID 0); named accounts such as 'nobody' and 'nonroot', and numeric UIDs ≥ 1, are treated as compliant and suppress the finding.

See the full threat catalog for every documented detection.

Scan an MCP server for this issue

MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.

Scan now

← Threat Catalog

Configuration & Environment

Container Runs as Root

MEDIUMCWE: CWE-250Rule: MCP-208

What it is

Why it matters for MCP

Vulnerable example

example.py

# Dockerfile (vulnerable)
FROM python:3.12-slim
RUN pip install fastmcp
COPY . /app
WORKDIR /app
# No USER directive — process runs as root
CMD ["python3", "server.py"]

Secure example

example.py

# Dockerfile (secure)
FROM python:3.12-slim
RUN pip install fastmcp \
 && groupadd -r mcp \
 && useradd -r -g mcp -u 1000 mcp
COPY --chown=mcp:mcp . /app
WORKDIR /app
USER 1000
CMD ["python3", "server.py"]

How MCPSafe detects this

See the full threat catalog for every documented detection.

Scan an MCP server for this issue

MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.

Scan now

Container Runs as Root

What it is

Why it matters for MCP

Vulnerable example

Secure example

How MCPSafe detects this

Further reading

Scan an MCP server for this issue

Container Runs as Root

What it is

Why it matters for MCP

Vulnerable example

Secure example

How MCPSafe detects this

Further reading

Scan an MCP server for this issue

1	# Dockerfile (vulnerable)
2	FROM python:3.12-slim
3	RUN pip install fastmcp
4	COPY . /app
5	WORKDIR /app
6	# No USER directive — process runs as root
7	CMD ["python3", "server.py"]

1	# Dockerfile (secure)
2	FROM python:3.12-slim
3	RUN pip install fastmcp \
4	&& groupadd -r mcp \
5	&& useradd -r -g mcp -u 1000 mcp
6	COPY --chown=mcp:mcp . /app
7	WORKDIR /app
8	USER 1000
9	CMD ["python3", "server.py"]